From 92607c723bdd49562ac3b41fb6c605307b389cde Mon Sep 17 00:00:00 2001
From: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Date: Thu, 23 Apr 2026 11:08:48 +0300
Subject: [PATCH] ipc: Fix IPC message sending with payload already prepared

If the msg->tx_size/data have been prepared by caller and it calls the
function with NULL as data: ipc_msg_send(msg, NULL, false);

then we try to copy from NULL to the msg->tx_data because
msg->tx_data != data is true.

The callers could be fixed as well, but the ipc_msg_send() and
ipc_msg_send_direct() should handle this.

Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
---
 src/ipc/ipc-common.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/ipc/ipc-common.c b/src/ipc/ipc-common.c
index 10f241784625..84706e275798 100644
--- a/src/ipc/ipc-common.c
+++ b/src/ipc/ipc-common.c
@@ -205,7 +205,7 @@ __cold void ipc_msg_send_direct(struct ipc_msg *msg, void *data)
 	key = k_spin_lock(&ipc->lock);
 
 	/* copy mailbox data to message if not already copied */
-	if (msg->tx_size > 0 && msg->tx_size <= SOF_IPC_MSG_MAX_SIZE &&
+	if (data && msg->tx_size > 0 && msg->tx_size <= SOF_IPC_MSG_MAX_SIZE &&
 	    msg->tx_data != data) {
 		ret = memcpy_s(msg->tx_data, msg->tx_size, data, msg->tx_size);
 		assert(!ret);
@@ -225,7 +225,7 @@ void ipc_msg_send(struct ipc_msg *msg, void *data, bool high_priority)
 	key = k_spin_lock(&ipc->lock);
 
 	/* copy mailbox data to message if not already copied */
-	if ((msg->tx_size > 0 && msg->tx_size <= SOF_IPC_MSG_MAX_SIZE) &&
+	if (data && (msg->tx_size > 0 && msg->tx_size <= SOF_IPC_MSG_MAX_SIZE) &&
 	    msg->tx_data != data) {
 		ret = memcpy_s(msg->tx_data, msg->tx_size, data, msg->tx_size);
 		assert(!ret);