Comment 1 for bug 1850867

Oh, by the way, I'm pretty sure that shiftfs_override_object_creds() is also wrong, although I'm not sure in what situation that would actually become exploitable; it uses code like this to override credentials before creating a file in the lower fs:

 (*newcred)->fsuid = KUIDT_INIT(from_kuid(sb->s_user_ns, fsuid));
 (*newcred)->fsgid = KGIDT_INIT(from_kgid(sb->s_user_ns, fsgid));

I think this is supposed to be something along the lines of `make_kuid(lower_ns, from_kuid(sb->s_user_ns, fsuid))`, and it's going to do the wrong thing when the userns of the lower filesystem is not the init_user_ns.