From 2424f0fb35289b3202a2927e8c524e3613e48fd6 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 28 Jul 2025 13:43:27 +0200
Subject: [PATCH] 5.4-stable patches

added patches:
	i2c-qup-jump-out-of-the-loop-in-case-of-timeout.patch
---
 ...p-out-of-the-loop-in-case-of-timeout.patch | 42 +++++++++++++++++++
 queue-5.4/series                              |  1 +
 2 files changed, 43 insertions(+)
 create mode 100644 queue-5.4/i2c-qup-jump-out-of-the-loop-in-case-of-timeout.patch

diff --git a/queue-5.4/i2c-qup-jump-out-of-the-loop-in-case-of-timeout.patch b/queue-5.4/i2c-qup-jump-out-of-the-loop-in-case-of-timeout.patch
new file mode 100644
index 0000000000..09817fd08c
--- /dev/null
+++ b/queue-5.4/i2c-qup-jump-out-of-the-loop-in-case-of-timeout.patch
@@ -0,0 +1,42 @@
+From a7982a14b3012527a9583d12525cd0dc9f8d8934 Mon Sep 17 00:00:00 2001
+From: Yang Xiwen <forbidden405@outlook.com>
+Date: Mon, 16 Jun 2025 00:01:10 +0800
+Subject: i2c: qup: jump out of the loop in case of timeout
+
+From: Yang Xiwen <forbidden405@outlook.com>
+
+commit a7982a14b3012527a9583d12525cd0dc9f8d8934 upstream.
+
+Original logic only sets the return value but doesn't jump out of the
+loop if the bus is kept active by a client. This is not expected. A
+malicious or buggy i2c client can hang the kernel in this case and
+should be avoided. This is observed during a long time test with a
+PCA953x GPIO extender.
+
+Fix it by changing the logic to not only sets the return value, but also
+jumps out of the loop and return to the caller with -ETIMEDOUT.
+
+Fixes: fbfab1ab0658 ("i2c: qup: reorganization of driver code to remove polling for qup v1")
+Signed-off-by: Yang Xiwen <forbidden405@outlook.com>
+Cc: <stable@vger.kernel.org> # v4.17+
+Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
+Link: https://lore.kernel.org/r/20250616-qca-i2c-v1-1-2a8d37ee0a30@outlook.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-qup.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-qup.c
++++ b/drivers/i2c/busses/i2c-qup.c
+@@ -449,8 +449,10 @@ static int qup_i2c_bus_active(struct qup
+ 		if (!(status & I2C_STATUS_BUS_ACTIVE))
+ 			break;
+ 
+-		if (time_after(jiffies, timeout))
++		if (time_after(jiffies, timeout)) {
+ 			ret = -ETIMEDOUT;
++			break;
++		}
+ 
+ 		usleep_range(len, len * 2);
+ 	}
diff --git a/queue-5.4/series b/queue-5.4/series
index 9575cea9de..3f75925963 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -57,3 +57,4 @@ rdma-core-rate-limit-gid-cache-warning-messages.patch
 net-appletalk-fix-kerneldoc-warnings.patch
 net-appletalk-fix-use-after-free-in-aarp-proxy-probe.patch
 net-sched-sch_qfq-avoid-triggering-might_sleep-in-at.patch
+i2c-qup-jump-out-of-the-loop-in-case-of-timeout.patch
-- 
2.47.2