Commit 27c1ec4848 for qemu.org

commit 27c1ec4848056699dca7cd2b1d445125d934272e
Author: Marc-André Lureau <marcandre.lureau@redhat.com>
Date:   Mon Apr 27 20:50:43 2026 +0400

    hw/i2c/pmbus: fix undefined behavior in pmbus_direct_mode2data

    The intermediate result of (Y * 10^-R - b) / m can be negative when
    the bias (b) is large and the raw register value is small (e.g. zero
    on an uninitialized device). Assigning that negative double to uint32_t
    is undefined behavior, caught by UBSan/clang.

    Use a double intermediate and clamp negative results to zero (suggested
    by Daniel Berrangé)

    Fixes: 3746d5c15e70 ("hw/i2c: add support for PMBus")
    Reviewed-by: Titus Rwantare <titusr@google.com>
    Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>

diff --git a/hw/i2c/pmbus_device.c b/hw/i2c/pmbus_device.c
index 853dc4b434..b1f9843f52 100644
--- a/hw/i2c/pmbus_device.c
+++ b/hw/i2c/pmbus_device.c
@@ -23,8 +23,10 @@ uint16_t pmbus_data2direct_mode(PMBusCoefficients c, uint32_t value)
 uint32_t pmbus_direct_mode2data(PMBusCoefficients c, uint16_t value)
 {
     /* X = (Y * 10^-R - b) / m */
-    uint32_t x = (value / pow(10, c.R) - c.b) / c.m;
-    return x;
+    double x = (value / pow(10, c.R) - c.b) / c.m;
+    return (x > 0
+              ? (x < G_MAXUINT32 ? (uint32_t)x : G_MAXUINT32)
+              : 0);
 }

 uint16_t pmbus_data2linear_mode(uint16_t value, int exp)