kern/file: Call grub_dl_unref() after fs->fs_close()

With commit 16f196874 (kern/file: Implement filesystem reference
counting) files hold a reference to their file systems.

When closing a file in grub_file_close() we should not expect
file->fs to stay valid after calling grub_dl_unref() on file->fs->mod.
So, grub_dl_unref() should be called after file->fs->fs_close().

Fixes: CVE-2025-54771
Fixes: 16f196874 (kern/file: Implement filesystem reference counting)
Reported-by: Thomas Frauendorfer | Miray Software <tf@miray.de>
Signed-off-by: Thomas Frauendorfer | Miray Software <tf@miray.de>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

diff --git a/grub-core/kern/file.c b/grub-core/kern/file.c
index 6e7efe89abd67387625b1b51b30c812cf8f33d3a..eb52fd25fdada216f8e1e1fc3f79e609d545e478 100644 (file)
--- a/grub-core/kern/file.c
+++ b/grub-core/kern/file.c
@@ -201,12 +201,12 @@ grub_file_read (grub_file_t file, void *buf, grub_size_t len)
 grub_err_t
 grub_file_close (grub_file_t file)
 {
-  if (file->fs->mod)
-    grub_dl_unref (file->fs->mod);
-
   if (file->fs->fs_close)
     (file->fs->fs_close) (file);
 
+  if (file->fs->mod)
+    grub_dl_unref (file->fs->mod);
+
   if (file->device)
     grub_device_close (file->device);
   grub_free (file->name);