In mux_get(), of_node_put(args.np) is called prematurely in error paths
before the last access to args.np, leading to a use-after-free if the
node is freed. Move the of_node_put() calls after the last use of args.np
to prevent this.

Fixes: 84564481bc45 ("mux: Add support for reading mux state from consumer DT node")
Cc: stable@vger.kernel.org
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
---
 drivers/mux/core.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/drivers/mux/core.c b/drivers/mux/core.c
index f09ee8782e3d..113af77c3ee2 100644
--- a/drivers/mux/core.c
+++ b/drivers/mux/core.c
@@ -564,9 +564,10 @@ static struct mux_control *mux_get(struct device *dev, const char *mux_name,
 	}
 
 	mux_chip = of_find_mux_chip_by_node(args.np);
-	of_node_put(args.np);
-	if (!mux_chip)
+	if (!mux_chip) {
+		of_node_put(args.np);
 		return ERR_PTR(-EPROBE_DEFER);
+	}
 
 	controller = 0;
 	if (state) {
@@ -575,8 +576,10 @@ static struct mux_control *mux_get(struct device *dev, const char *mux_name,
 			dev_err(dev, "%pOF: wrong #mux-state-cells for %pOF\n",
 				np, args.np);
 			put_device(&mux_chip->dev);
+			of_node_put(args.np);
 			return ERR_PTR(-EINVAL);
 		}
+		of_node_put(args.np);
 
 		if (args.args_count == 2) {
 			controller = args.args[0];
@@ -591,9 +594,11 @@ static struct mux_control *mux_get(struct device *dev, const char *mux_name,
 			dev_err(dev, "%pOF: wrong #mux-control-cells for %pOF\n",
 				np, args.np);
 			put_device(&mux_chip->dev);
+			of_node_put(args.np);
 			return ERR_PTR(-EINVAL);
 		}
 
+		of_node_put(args.np);
 		if (args.args_count)
 			controller = args.args[0];
 	}
-- 
2.34.1