msm: arm: krait: Patch for krait array access out of bound

Current array-bound-check does not cover all cases.
An attacker can use this loophole to redirect $PC to attacker-controlled functions.

The fix is to move the existing array-bound-check to a later location to cover all cases.

Bug: 25773204
Change-Id: I947c872bf3c39dfdd13f029b2fbbb81874a8bca6
Signed-off-by: Yuan Lin <yualin@google.com>

arch/arm/kernel/perf_event_msm_krait.c

@@ -207,8 +207,6 @@ static unsigned int get_krait_evtinfo(unsigned int krait_evt_type,
 	code = (krait_evt_type & 0x00FF0) >> 4;
 	group = krait_evt_type & 0x0000F;
 
-	if ((group > 3) || (reg > KRAIT_MAX_L1_REG))
-		return -EINVAL;
 
 	if (prefix != KRAIT_EVT_PREFIX && prefix != KRAIT_VENUMEVT_PREFIX)
 		return -EINVAL;
@@ -220,6 +218,9 @@ static unsigned int get_krait_evtinfo(unsigned int krait_evt_type,
 			reg += VENUM_BASE_OFFSET;
 	}
 
+	if ((group > 3) || (reg > KRAIT_MAX_L1_REG))
+		return -EINVAL;
+
 	evtinfo->group_setval = 0x80000000 | (code << (group * 8));
 	evtinfo->groupcode = reg;
 	evtinfo->armv7_evt_type = evt_type_base[reg] | group;