From 620a823262d565082c03ed4d221a766d94ca979f Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 28 Jul 2025 13:43:48 +0200
Subject: [PATCH] 5.10-stable patches

added patches:
	i2c-qup-jump-out-of-the-loop-in-case-of-timeout.patch
---
 ...p-out-of-the-loop-in-case-of-timeout.patch | 42 +++++++++++++++++++
 queue-5.10/series                             |  1 +
 2 files changed, 43 insertions(+)
 create mode 100644 queue-5.10/i2c-qup-jump-out-of-the-loop-in-case-of-timeout.patch

diff --git a/queue-5.10/i2c-qup-jump-out-of-the-loop-in-case-of-timeout.patch b/queue-5.10/i2c-qup-jump-out-of-the-loop-in-case-of-timeout.patch
new file mode 100644
index 0000000000..a1a258b62c
--- /dev/null
+++ b/queue-5.10/i2c-qup-jump-out-of-the-loop-in-case-of-timeout.patch
@@ -0,0 +1,42 @@
+From a7982a14b3012527a9583d12525cd0dc9f8d8934 Mon Sep 17 00:00:00 2001
+From: Yang Xiwen <forbidden405@outlook.com>
+Date: Mon, 16 Jun 2025 00:01:10 +0800
+Subject: i2c: qup: jump out of the loop in case of timeout
+
+From: Yang Xiwen <forbidden405@outlook.com>
+
+commit a7982a14b3012527a9583d12525cd0dc9f8d8934 upstream.
+
+Original logic only sets the return value but doesn't jump out of the
+loop if the bus is kept active by a client. This is not expected. A
+malicious or buggy i2c client can hang the kernel in this case and
+should be avoided. This is observed during a long time test with a
+PCA953x GPIO extender.
+
+Fix it by changing the logic to not only sets the return value, but also
+jumps out of the loop and return to the caller with -ETIMEDOUT.
+
+Fixes: fbfab1ab0658 ("i2c: qup: reorganization of driver code to remove polling for qup v1")
+Signed-off-by: Yang Xiwen <forbidden405@outlook.com>
+Cc: <stable@vger.kernel.org> # v4.17+
+Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
+Link: https://lore.kernel.org/r/20250616-qca-i2c-v1-1-2a8d37ee0a30@outlook.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-qup.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-qup.c
++++ b/drivers/i2c/busses/i2c-qup.c
+@@ -452,8 +452,10 @@ static int qup_i2c_bus_active(struct qup
+ 		if (!(status & I2C_STATUS_BUS_ACTIVE))
+ 			break;
+ 
+-		if (time_after(jiffies, timeout))
++		if (time_after(jiffies, timeout)) {
+ 			ret = -ETIMEDOUT;
++			break;
++		}
+ 
+ 		usleep_range(len, len * 2);
+ 	}
diff --git a/queue-5.10/series b/queue-5.10/series
index 25e5d21c81..ce040bf853 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -61,3 +61,4 @@ net-appletalk-fix-use-after-free-in-aarp-proxy-probe.patch
 net-sched-sch_qfq-avoid-triggering-might_sleep-in-at.patch
 net-hns3-refine-the-struct-hane3_tc_info.patch
 net-hns3-fixed-vf-get-max-channels-bug.patch
+i2c-qup-jump-out-of-the-loop-in-case-of-timeout.patch
-- 
2.47.2