[PATCH 2/2] ntsync: honour caller's time namespace for absolute MONOTONIC timeouts

[Maoyi Xie]

ntsync_schedule() takes the absolute timeout from userspace and hands
it to schedule_hrtimeout_range_clock() with HRTIMER_MODE_ABS. For the
default CLOCK_MONOTONIC path, it does not call timens_ktime_to_host()
first.

A process inside a CLOCK_MONOTONIC time namespace computes the
absolute timeout in its own clock view. The kernel reads the same
value against the host clock. The two differ by the namespace offset.
The timeout then fires too early or too late.

Other consumers of absolute timeouts run the ktime through
timens_ktime_to_host() before hrtimer. Examples are timerfd,
posix-timers, alarmtimer, posix-stubs and futex. ntsync was added
later and missed that step.

/dev/ntsync is mode 0666. Any user inside a time namespace that can
open it is affected. The visible effect is wrong timeout behaviour
for Wine in a container that sets a CLOCK_MONOTONIC offset.

Reproducer: unshare --user --time, set the monotonic offset to -10s,
issue NTSYNC_IOC_WAIT_ANY with a 100 ms absolute MONOTONIC timeout.
The baseline run elapses about 100 ms. The run inside the namespace
elapses about 0 ms.

Apply timens_ktime_to_host() to the parsed timeout when the caller
did not set NTSYNC_WAIT_REALTIME. The helper does nothing in the
initial time namespace, so the fast path is unchanged.

Fixes: b4a7b5fe3f51 ("ntsync: Introduce NTSYNC_IOC_WAIT_ANY.")
Cc: stable@xxxxxxxxxxxxxxx # v6.14+
Signed-off-by: Maoyi Xie <maoyixie.tju@xxxxxxxxx>
---
 drivers/misc/ntsync.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/misc/ntsync.c b/drivers/misc/ntsync.c
index 30af282262ef..02c9d1192812 100644
--- a/drivers/misc/ntsync.c
+++ b/drivers/misc/ntsync.c
@@ -19,6 +19,7 @@
 #include <linux/sched/signal.h>
 #include <linux/slab.h>
 #include <linux/spinlock.h>
+#include <linux/time_namespace.h>
 #include <uapi/linux/ntsync.h>
 
 #define NTSYNC_NAME	"ntsync"
@@ -836,6 +837,8 @@ static int ntsync_schedule(const struct ntsync_q *q, const struct ntsync_wait_ar
 
 	if (args->flags & NTSYNC_WAIT_REALTIME)
 		clock = CLOCK_REALTIME;
+	else
+		timeout = timens_ktime_to_host(clock, timeout);
 
 	do {
 		if (signal_pending(current)) {
-- 
2.34.1