From 8a9dc13e91f4e77575ce50ff4fc647ab6c587774 Mon Sep 17 00:00:00 2001
From: Chun-Chieh Li <ccli8@nuvoton.com>
Date: Mon, 16 Jun 2025 12:01:50 +0800
Subject: [PATCH] drivers: wifi: esp_at: fix rx_sock not ref-counted

This fixes rx_sock is not reference-counted, or crash error on reference
to released socket.

Signed-off-by: Chun-Chieh Li <ccli8@nuvoton.com>
---
 drivers/wifi/esp_at/esp_offload.c | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/drivers/wifi/esp_at/esp_offload.c b/drivers/wifi/esp_at/esp_offload.c
index 1fcb90b5c53..922f8e8e02d 100644
--- a/drivers/wifi/esp_at/esp_offload.c
+++ b/drivers/wifi/esp_at/esp_offload.c
@@ -547,10 +547,16 @@ MODEM_CMD_DIRECT_DEFINE(on_cmd_ciprecvdata)
 {
 	struct esp_data *dev = CONTAINER_OF(data, struct esp_data,
 					    cmd_handler_data);
-	struct esp_socket *sock = dev->rx_sock;
+	struct esp_socket *sock;
 	int data_offset, data_len;
 	int err;
 
+	sock = esp_socket_ref(dev->rx_sock);
+	if (!sock) {
+		LOG_ERR("No rx_sock socket");
+		return -ENOTCONN;
+	}
+
 #if defined(CONFIG_WIFI_ESP_AT_CIPDINFO_USE)
 	char raw_remote_ip[INET_ADDRSTRLEN + 3] = {0};
 	int port = 0;
@@ -563,10 +569,10 @@ MODEM_CMD_DIRECT_DEFINE(on_cmd_ciprecvdata)
 #endif
 	if (err) {
 		if (err == -EAGAIN) {
-			return -EAGAIN;
+			goto socket_unref;
 		}
 
-		return err;
+		goto socket_unref;
 	}
 
 #if defined(CONFIG_WIFI_ESP_AT_CIPDINFO_USE)
@@ -591,12 +597,18 @@ MODEM_CMD_DIRECT_DEFINE(on_cmd_ciprecvdata)
 	if (net_addr_pton(AF_INET, remote_ip_addr, &recv_addr->sin_addr) < 0) {
 		LOG_ERR("Invalid src addr %s", remote_ip_addr);
 		err = -EIO;
-		return err;
+		goto socket_unref;
 	}
 #endif
 	esp_socket_rx(sock, data->rx_buf, data_offset, data_len);
 
-	return data_offset + data_len;
+	err = data_offset + data_len;
+	goto socket_unref;
+
+socket_unref:
+	esp_socket_unref(sock);
+
+	return err;
 }
 
 void esp_recvdata_work(struct k_work *work)