Add missing dst_release() when alloc_ep_skb_list() fails to prevent
reference count leak of the dst obtained from route lookup.

Fixes: 4a740838bf44 ("RDMA/iw_cxgb4: Low resource fixes for connection manager")
Cc: stable@vger.kernel.org
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
---
 drivers/infiniband/hw/cxgb4/cm.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c
index b3b45c49077d..3490b8920cf0 100644
--- a/drivers/infiniband/hw/cxgb4/cm.c
+++ b/drivers/infiniband/hw/cxgb4/cm.c
@@ -2665,6 +2665,7 @@ static int pass_accept_req(struct c4iw_dev *dev, struct sk_buff *skb)
 	}
 	goto out;
 fail:
+	dst_release(dst);
 	c4iw_put_ep(&child_ep->com);
 reject:
 	reject_cr(dev, hwtid, skb);
-- 
2.34.1

On Mon, Dec 15, 2025 at 03:33:56PM +0000, Wentao Liang wrote:
> Add missing dst_release() when alloc_ep_skb_list() fails to prevent
> reference count leak of the dst obtained from route lookup.

I'm not convinced this path is correct. I also don't see a call to  
"kfree(child_ep);" in that case.

Thanks

> 
> Fixes: 4a740838bf44 ("RDMA/iw_cxgb4: Low resource fixes for connection manager")
> Cc: stable@vger.kernel.org
> Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
> ---
>  drivers/infiniband/hw/cxgb4/cm.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c
> index b3b45c49077d..3490b8920cf0 100644
> --- a/drivers/infiniband/hw/cxgb4/cm.c
> +++ b/drivers/infiniband/hw/cxgb4/cm.c
> @@ -2665,6 +2665,7 @@ static int pass_accept_req(struct c4iw_dev *dev, struct sk_buff *skb)
>  	}
>  	goto out;
>  fail:
> +	dst_release(dst);
>  	c4iw_put_ep(&child_ep->com);
>  reject:
>  	reject_cr(dev, hwtid, skb);
> -- 
> 2.34.1
>