sfc: ensure type is valid before updating seen_gen

In the case of invalid or corrupted v2 counter update packets,
 efx_tc_rx_version_2() returns EFX_TC_COUNTER_TYPE_MAX.  In this case
 we should not attempt to update generation counts as this will write
 beyond the end of the seen_gen array.

Reported-by: coverity-bot <[email protected]>
Addresses-Coverity-ID: 1527356 ("Memory - illegal accesses")
Fixes: 25730d8 ("sfc: add extra RX channel to receive MAE counter updates on ef100")
Signed-off-by: Edward Cree <[email protected]>
Reviewed-by: Kees Cook <[email protected]>
Signed-off-by: David S. Miller <[email protected]>

Author: Edward Cree

drivers/net/ethernet/sfc/tc_counters.c

@@ -476,13 +476,15 @@ static bool efx_tc_rx(struct efx_rx_queue *rx_queue, u32 mark)
 		goto out;
 	}
 
-	/* Update seen_gen unconditionally, to avoid a missed wakeup if
-	 * we race with efx_mae_stop_counters().
-	 */
-	efx->tc->seen_gen[type] = mark;
-	if (efx->tc->flush_counters &&
-	    (s32)(efx->tc->flush_gen[type] - mark) <= 0)
-		wake_up(&efx->tc->flush_wq);
+	if (type < EFX_TC_COUNTER_TYPE_MAX) {
+		/* Update seen_gen unconditionally, to avoid a missed wakeup if
+		 * we race with efx_mae_stop_counters().
+		 */
+		efx->tc->seen_gen[type] = mark;
+		if (efx->tc->flush_counters &&
+		    (s32)(efx->tc->flush_gen[type] - mark) <= 0)
+			wake_up(&efx->tc->flush_wq);
+	}
 out:
 	efx_free_rx_buffers(rx_queue, rx_buf, 1);
 	channel->rx_pkt_n_frags = 0;