From bf52579f92c30cb6ebb65a007b4f0dab9f135695 Mon Sep 17 00:00:00 2001
From: Ben Noordhuis <info@bnoordhuis.nl>
Date: Fri, 9 Oct 2015 13:14:24 +0200
Subject: [PATCH] unix: only undo fs req registration in async mode
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Commit 0199955 ("fs: undo uv__req_init when uv__malloc failed")
mistakingly unregisters the requests unconditionally in a few places,
resulting in memory corruption when it hasn't been registered first.

Fixes: https://github.com/libuv/libuv/pull/543
PR-URL: https://github.com/libuv/libuv/pull/567
Reviewed-By: Saúl Ibarra Corretgé <saghul@gmail.com>
---
 src/unix/fs.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/unix/fs.c b/src/unix/fs.c
index ff27e84a..d593d2ec 100644
--- a/src/unix/fs.c
+++ b/src/unix/fs.c
@@ -1067,7 +1067,8 @@ int uv_fs_mkdtemp(uv_loop_t* loop,
   INIT(MKDTEMP);
   req->path = uv__strdup(tpl);
   if (req->path == NULL) {
-    uv__req_unregister(loop, req);
+    if (cb != NULL)
+      uv__req_unregister(loop, req);
     return -ENOMEM;
   }
   POST;
@@ -1106,7 +1107,8 @@ int uv_fs_read(uv_loop_t* loop, uv_fs_t* req,
     req->bufs = uv__malloc(nbufs * sizeof(*bufs));
 
   if (req->bufs == NULL) {
-    uv__req_unregister(loop, req);
+    if (cb != NULL)
+      uv__req_unregister(loop, req);
     return -ENOMEM;
   }
 
@@ -1233,7 +1235,8 @@ int uv_fs_write(uv_loop_t* loop,
     req->bufs = uv__malloc(nbufs * sizeof(*bufs));
 
   if (req->bufs == NULL) {
-    uv__req_unregister(loop, req);
+    if (cb != NULL)
+      uv__req_unregister(loop, req);
     return -ENOMEM;
   }