nfsd4_decode_bitmap4() will write beyond bmval[bmlen-1] if the RPC
directs it to do so. This can cause nfsd4_decode_state_protect4_a() to
write client-supplied data beyond the end of
nfsd4_exchange_id.spo_must_allow[] when called by
nfsd4_decode_exchange_id().

I've attached a demo in which the client's EXCHANGE_ID RPC supplies an
address (0x400) that nfsd4_decode_bitmap4() writes into
nii_domain.data due to overflowing bmval[]. The EXCHANGE_ID RPC also
supplies a zero-length eia_client_impl_id<>. The result is that
copy_impl_id() (called by nfsd4_exchange_id()) tries to read from
address 0x400.

# cc nfsd_1.c
# uname -a
Linux (none) 5.15.0-rc7-dirty #64 SMP Sat Nov 13 20:10:21 UTC 2021 riscv64 riscv64 riscv64 GNU/Linux
# ./nfsd_1
...
[   16.600786] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000400
[   16.643621] epc : __memcpy+0x3c/0xf8
[   16.650154]  ra : kmemdup+0x2c/0x3c
[   16.657733] epc : ffffffff803667bc ra : ffffffff800e80fe sp : ffffffd000553c20
[   16.777502] status: 0000000200000121 badaddr: 0000000000000400 cause: 000000000000000d
[   16.788193] [<ffffffff803667bc>] __memcpy+0x3c/0xf8
[   16.796504] [<ffffffff8028cf0e>] nfsd4_exchange_id+0xe6/0x406
[   16.806159] [<ffffffff8027c352>] nfsd4_proc_compound+0x2b4/0x4e8
[   16.815721] [<ffffffff80266782>] nfsd_dispatch+0x118/0x172
[   16.823405] [<ffffffff807633fa>] svc_process_common+0x2de/0x62c
[   16.832935] [<ffffffff8076380c>] svc_process+0xc4/0x102
[   16.840421] [<ffffffff802661de>] nfsd+0x102/0x16a
[   16.848520] [<ffffffff80025b60>] kthread+0xfe/0x110
[   16.856648] [<ffffffff80003054>] ret_from_exception+0x0/0xc