Oh, by the way, I'm pretty sure that shiftfs_override_object_creds() is also wrong, although I'm not sure in what situation that would actually become exploitable; it uses code like this to override credentials before creating a file in the lower fs:
I think this is supposed to be something along the lines of `make_kuid(lower_ns, from_kuid(sb->s_user_ns, fsuid))`, and it's going to do the wrong thing when the userns of the lower filesystem is not the init_user_ns.
Oh, by the way, I'm pretty sure that shiftfs_ override_ object_ creds() is also wrong, although I'm not sure in what situation that would actually become exploitable; it uses code like this to override credentials before creating a file in the lower fs:
(*newcred)->fsuid = KUIDT_INIT( from_kuid( sb->s_user_ ns, fsuid)); from_kgid( sb->s_user_ ns, fsgid));
(*newcred)->fsgid = KGIDT_INIT(
I think this is supposed to be something along the lines of `make_kuid( lower_ns, from_kuid( sb->s_user_ ns, fsuid))`, and it's going to do the wrong thing when the userns of the lower filesystem is not the init_user_ns.