fs: Don't unref luv_dir_t until after we're actually sure it's okay to GC it

squeek502 · squeek502 · commit af434d1ecbf7 · 2026-03-29T21:42:43.000-07:00
It was technically possible for the luv_dir_t to be garbage collected, which would lead to the dirent data being unref'ed and that *also* could garbage collected, before one of the luv_push_dirent calls that use the dirent data (i.e. a possible use-after-free). Seems very unlikely in real-world usage, but 100% reproducible with a maximally aggressive/stop-the-world GC.
diff --git a/src/fs.c b/src/fs.c
@@ -374,9 +374,6 @@ static int push_fs_result(lua_State* L, uv_fs_t* req) {
       return 1;
     }
     case UV_FS_READDIR: {
-      luaL_unref(L, LUA_REGISTRYINDEX, data->data_ref);
-      data->data_ref = LUA_NOREF;
-
       if(req->result > 0) {
         size_t i;
         uv_dir_t *dir = (uv_dir_t*)req->ptr;
@@ -388,6 +385,8 @@ static int push_fs_result(lua_State* L, uv_fs_t* req) {
       } else
         lua_pushnil(L);
 
+      luaL_unref(L, LUA_REGISTRYINDEX, data->data_ref);
+      data->data_ref = LUA_NOREF;
       return 1;
     }
     case UV_FS_CLOSEDIR:
