From ddd2297adcc0ad6983f710b0564bc48e030f2ced Mon Sep 17 00:00:00 2001
From: Srikanth Patchava <srpatcha@users.noreply.github.com>
Date: Fri, 17 Apr 2026 13:07:17 -0700
Subject: [PATCH 1/2] fix: guard LOG_D against null thread pointer in
 rt_ipc_list_resume()

When rt_susp_list_dequeue() returns RT_NULL (empty suspended list),
the LOG_D call dereferences thread->parent.name without a null check,
causing a crash in debug builds.
---
 src/ipc.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/ipc.c b/src/ipc.c
index 7c52956b1c2..3a26d044be6 100644
--- a/src/ipc.c
+++ b/src/ipc.c
@@ -44,7 +44,7 @@
  * 2022-04-08     Stanley      Correct descriptions
  * 2022-10-15     Bernard      add nested mutex feature
  * 2022-10-16     Bernard      add prioceiling feature in mutex
- * 2023-04-16     Xin-zheqi    redesigen queue recv and send function return real message size
+ * 2023-04-16     Xin-zheqi    redesign queue recv and send function return real message size
  * 2023-09-15     xqyjlj       perf rt_hw_interrupt_disable/enable
  */
 
@@ -140,7 +140,10 @@ struct rt_thread *rt_susp_list_dequeue(rt_list_t *susp_list, rt_err_t thread_err
     }
     rt_sched_unlock(slvl);
 
-    LOG_D("resume thread:%s\n", thread->parent.name);
+    if (thread != RT_NULL)
+    {
+        LOG_D("resume thread:%s\n", thread->parent.name);
+    }
 
     return thread;
 }

From 8670eb1f89d9532b7029d34da7f8ab2d0fe63ac6 Mon Sep 17 00:00:00 2001
From: Srikanth Patchava <srikanth.patchava@outlook.com>
Date: Fri, 24 Apr 2026 22:28:16 -0700
Subject: [PATCH 2/2] fix: check overflow before modifying IPC state in send
 functions

_rt_mb_send_wait, _rt_mq_send_wait, and rt_mq_urgent modified mailbox
and message queue data structures before checking overflow conditions.
On overflow, they returned errors without rolling back changes, causing
state corruption. Moved overflow checks before state modifications.

Signed-off-by: Srikanth Patchava <spatchava@meta.com>
Signed-off-by: Srikanth Patchava <srikanth.patchava@outlook.com>
---
 src/ipc.c | 61 ++++++++++++++++++++++++++++---------------------------
 1 file changed, 31 insertions(+), 30 deletions(-)

diff --git a/src/ipc.c b/src/ipc.c
index 3a26d044be6..a03100a0d0e 100644
--- a/src/ipc.c
+++ b/src/ipc.c
@@ -2664,6 +2664,12 @@ static rt_err_t _rt_mb_send_wait(rt_mailbox_t mb,
         }
     }
 
+    if(mb->entry >= RT_MB_ENTRY_MAX)
+    {
+        rt_spin_unlock_irqrestore(&(mb->spinlock), level);
+        return -RT_EFULL; /* value overflowed */
+    }
+
     /* set ptr */
     mb->msg_pool[mb->in_offset] = value;
     /* increase input offset */
@@ -2671,16 +2677,8 @@ static rt_err_t _rt_mb_send_wait(rt_mailbox_t mb,
     if (mb->in_offset >= mb->size)
         mb->in_offset = 0;
 
-    if(mb->entry < RT_MB_ENTRY_MAX)
-    {
-        /* increase message entry */
-        mb->entry ++;
-    }
-    else
-    {
-        rt_spin_unlock_irqrestore(&(mb->spinlock), level);
-        return -RT_EFULL; /* value overflowed */
-    }
+    /* increase message entry */
+    mb->entry ++;
 
     /* resume suspended thread */
     if (!rt_list_isempty(&mb->parent.suspend_thread))
@@ -3506,6 +3504,16 @@ static rt_err_t _rt_mq_send_wait(rt_mq_t mq,
 
     /* disable interrupt */
     level = rt_spin_lock_irqsave(&(mq->spinlock));
+
+    if(mq->entry >= RT_MQ_ENTRY_MAX)
+    {
+        /* return message to free list */
+        msg->next = (struct rt_mq_message *)mq->msg_queue_free;
+        mq->msg_queue_free = msg;
+        rt_spin_unlock_irqrestore(&(mq->spinlock), level);
+        return -RT_EFULL; /* value overflowed */
+    }
+
 #ifdef RT_USING_MESSAGEQUEUE_PRIORITY
     msg->prio = prio;
     if (mq->msg_queue_head == RT_NULL)
@@ -3547,16 +3555,8 @@ static rt_err_t _rt_mq_send_wait(rt_mq_t mq,
         mq->msg_queue_head = msg;
 #endif
 
-    if(mq->entry < RT_MQ_ENTRY_MAX)
-    {
-        /* increase message entry */
-        mq->entry ++;
-    }
-    else
-    {
-        rt_spin_unlock_irqrestore(&(mq->spinlock), level);
-        return -RT_EFULL; /* value overflowed */
-    }
+    /* increase message entry */
+    mq->entry ++;
 
     /* resume suspended thread */
     if (!rt_list_isempty(&mq->parent.suspend_thread))
@@ -3697,6 +3697,15 @@ rt_err_t rt_mq_urgent(rt_mq_t mq, const void *buffer, rt_size_t size)
 
     level = rt_spin_lock_irqsave(&(mq->spinlock));
 
+    if(mq->entry >= RT_MQ_ENTRY_MAX)
+    {
+        /* return message to free list */
+        msg->next = (struct rt_mq_message *)mq->msg_queue_free;
+        mq->msg_queue_free = msg;
+        rt_spin_unlock_irqrestore(&(mq->spinlock), level);
+        return -RT_EFULL; /* value overflowed */
+    }
+
     /* link msg to the beginning of message queue */
     msg->next = (struct rt_mq_message *)mq->msg_queue_head;
     mq->msg_queue_head = msg;
@@ -3705,16 +3714,8 @@ rt_err_t rt_mq_urgent(rt_mq_t mq, const void *buffer, rt_size_t size)
     if (mq->msg_queue_tail == RT_NULL)
         mq->msg_queue_tail = msg;
 
-    if(mq->entry < RT_MQ_ENTRY_MAX)
-    {
-        /* increase message entry */
-        mq->entry ++;
-    }
-    else
-    {
-        rt_spin_unlock_irqrestore(&(mq->spinlock), level);
-        return -RT_EFULL; /* value overflowed */
-    }
+    /* increase message entry */
+    mq->entry ++;
 
     /* resume suspended thread */
     if (!rt_list_isempty(&mq->parent.suspend_thread))