The following issues were found

fs/nfs/nfs4state.c
2 issues
char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 1210 Column: 2 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              void nfs4_schedule_state_manager(struct nfs_client *clp)
{
	struct task_struct *task;
	char buf[INET6_ADDRSTRLEN + sizeof("-manager") + 1];

	set_bit(NFS4CLNT_RUN_MANAGER, &clp->cl_state);
	if (test_and_set_bit(NFS4CLNT_MANAGER_RUNNING, &clp->cl_state) != 0)
		return;
	__module_get(THIS_MODULE);

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 2676 Column: 6 CWE codes: 126 

              	goto out_drain;

out_error:
	if (strlen(section))
		section_sep = ": ";
	trace_nfs4_state_mgr_failed(clp, section, status);
	pr_warn_ratelimited("NFS: state manager%s%s failed on NFSv4 server %s"
			" with error %d\n", section_sep, section,
			clp->cl_hostname, -status);

Reported by FlawFinder.

fs/nfs_common/grace.c
2 issues
open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 64 Column: 40 CWE codes: 362 

              EXPORT_SYMBOL_GPL(locks_end_grace);

static bool
__state_in_grace(struct net *net, bool open)
{
	struct list_head *grace_list = net_generic(net, grace_net_id);
	struct lock_manager *lm;

	if (!open)

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 69 Column: 7 CWE codes: 362 

              	struct list_head *grace_list = net_generic(net, grace_net_id);
	struct lock_manager *lm;

	if (!open)
		return !list_empty(grace_list);

	spin_lock(&grace_lock);
	list_for_each_entry(lm, grace_list, list) {
		if (lm->block_opens) {

Reported by FlawFinder.

fs/nfsd/fault_inject.c
2 issues
char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 33 Column: 2 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              				 size_t len, loff_t *ppos)
{
	static u64 val;
	char read_buf[25];
	size_t size;
	loff_t pos = *ppos;
	struct nfsd_fault_inject_op *op = file_inode(file)->i_private;

	if (!pos)

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 48 Column: 2 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              static ssize_t fault_inject_write(struct file *file, const char __user *buf,
				  size_t len, loff_t *ppos)
{
	char write_buf[INET6_ADDRSTRLEN];
	size_t size = min(sizeof(write_buf) - 1, len);
	struct net *net = current->nsproxy->net_ns;
	struct sockaddr_storage sa;
	struct nfsd_fault_inject_op *op = file_inode(file)->i_private;
	u64 val;

Reported by FlawFinder.

fs/nfsd/flexfilelayout.c
2 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 64 Column: 2 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              		goto out_error;

	fl->fh.size = fhp->fh_handle.fh_size;
	memcpy(fl->fh.data, &fhp->fh_handle.fh_base, fl->fh.size);

	/* Give whole file layout segments */
	seg->offset = 0;
	seg->length = NFS4_MAX_UINT64;

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 86 Column: 2 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              	struct pnfs_ff_device_addr *da;

	u16 port;
	char addr[INET6_ADDRSTRLEN];

	da = kzalloc(sizeof(struct pnfs_ff_device_addr), GFP_KERNEL);
	if (!da)
		return nfserrno(-ENOMEM);

Reported by FlawFinder.

fs/nfsd/flexfilelayoutxdr.h
2 issues
char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 20 Column: 2 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              #define FF_NETID_LEN		(4)
#define FF_ADDR_LEN		(INET6_ADDRSTRLEN + 8)
struct pnfs_ff_netaddr {
	char				netid[FF_NETID_LEN + 1];
	char				addr[FF_ADDR_LEN + 1];
	u32				netid_len;
	u32				addr_len;
};

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 21 Column: 2 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              #define FF_ADDR_LEN		(INET6_ADDRSTRLEN + 8)
struct pnfs_ff_netaddr {
	char				netid[FF_NETID_LEN + 1];
	char				addr[FF_ADDR_LEN + 1];
	u32				netid_len;
	u32				addr_len;
};

struct pnfs_ff_device_addr {

Reported by FlawFinder.

fs/nfsd/nfs4callback.c
2 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 1018 Column: 2 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              {
	nfsd4_mark_cb_state(clp, NFSD4_CB_UNKNOWN);
	spin_lock(&clp->cl_lock);
	memcpy(&clp->cl_cb_conn, conn, sizeof(struct nfs4_cb_conn));
	spin_unlock(&clp->cl_lock);
}

/*
 * There's currently a single callback channel slot.

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 1301 Column: 2 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              	 */
	BUG_ON(!(clp->cl_flags & NFSD4_CLIENT_CB_FLAG_MASK));
	clear_bit(NFSD4_CLIENT_CB_UPDATE, &clp->cl_flags);
	memcpy(&conn, &cb->cb_clp->cl_cb_conn, sizeof(struct nfs4_cb_conn));
	c = __nfsd4_find_backchannel(clp);
	if (c) {
		svc_xprt_get(c->cn_xprt);
		conn.cb_xprt = c->cn_xprt;
		ses = c->cn_session;

Reported by FlawFinder.

fs/nfsd/nfscache.c
2 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 561 Column: 3 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              			return;
		}
		cachv->iov_len = bufsize;
		memcpy(cachv->iov_base, statp, bufsize);
		break;
	case RC_NOCACHE:
		nfsd_reply_cache_free(b, rp, nn);
		return;
	}

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 592 Column: 2 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              				data->iov_len);
		return 0;
	}
	memcpy((char*)vec->iov_base + vec->iov_len, data->iov_base, data->iov_len);
	vec->iov_len += data->iov_len;
	return 1;
}

/*

Reported by FlawFinder.

fs/nfsd/nfsd.h
2 issues
sprintf - Does not check for buffer overflows
Security

Line: 416 Column: 3 CWE codes: 120
Suggestion: Use sprintf_s, snprintf, or vsnprintf 

              	switch (addr->sa_family) {
	case AF_INET:
		port = ntohs(sin->sin_port);
		sprintf(netaddr->netid, "tcp");
		netaddr->netid_len = 3;
		break;
	case AF_INET6:
		port = ntohs(sin6->sin6_port);
		sprintf(netaddr->netid, "tcp6");

Reported by FlawFinder.

sprintf - Does not check for buffer overflows
Security

Line: 421 Column: 3 CWE codes: 120
Suggestion: Use sprintf_s, snprintf, or vsnprintf 

              		break;
	case AF_INET6:
		port = ntohs(sin6->sin6_port);
		sprintf(netaddr->netid, "tcp6");
		netaddr->netid_len = 4;
		break;
	default:
		return nfserr_inval;
	}

Reported by FlawFinder.

fs/nfsd/nfsxdr.c
2 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 67 Column: 2 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              	if (!p)
		return false;
	fh_init(fhp, NFS_FHSIZE);
	memcpy(&fhp->fh_handle.fh_base, p, NFS_FHSIZE);
	fhp->fh_handle.fh_size = NFS_FHSIZE;

	return true;
}

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 81 Column: 2 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              	p = xdr_reserve_space(xdr, NFS_FHSIZE);
	if (!p)
		return false;
	memcpy(p, &fhp->fh_handle.fh_base, NFS_FHSIZE);

	return true;
}

static __be32 *

Reported by FlawFinder.

fs/nfsd/xdr3.h
2 issues
access - This usually indicates a security flaw. If an attacker can change anything along the path between the call to access() and the file's actual use (e.g., by moving files), the attacker can exploit the race condition
Security

Line: 28 Column: 10 CWE codes: 362/367!
Suggestion: Set up the correct permissions (e.g., using setuid()) and try to open the file directly 

              
struct nfsd3_accessargs {
	struct svc_fh		fh;
	__u32			access;
};

struct nfsd3_readargs {
	struct svc_fh		fh;
	__u64			offset;

Reported by FlawFinder.

access - This usually indicates a security flaw. If an attacker can change anything along the path between the call to access() and the file's actual use (e.g., by moving files), the attacker can exploit the race condition
Security

Line: 132 Column: 10 CWE codes: 362/367!
Suggestion: Set up the correct permissions (e.g., using setuid()) and try to open the file directly 

              struct nfsd3_accessres {
	__be32			status;
	struct svc_fh		fh;
	__u32			access;
	struct kstat		stat;
};

struct nfsd3_readlinkres {
	__be32			status;

Reported by FlawFinder.