ntsync_schedule() hands an absolute MONOTONIC timeout from userspace
to schedule_hrtimeout_range_clock() without applying the caller's
time namespace offset. Inside a CLOCK_MONOTONIC time namespace, the
timeout fires too early or too late by the offset. Elizabeth Figura
confirmed the bug on the inquiry thread [1] and said whoever gets to
it first can fix it.

The fix calls timens_ktime_to_host() before hrtimer. That helper is
an inline in <linux/time_namespace.h> and references init_time_ns
and do_timens_ktime_to_host. All current users are in the kernel
itself, so neither symbol is exported. ntsync is the first module
user, so 1/2 exports both with EXPORT_SYMBOL_GPL.

I considered two alternatives for the export. Flipping CONFIG_NTSYNC
to bool would break module users. A new exported out of line wrapper
that hides init_time_ns is a cleaner ABI but adds a helper for one
caller. If a different export shape is preferred, please let me know
and I will follow that.

Routing: 1/2 touches kernel/time/, 2/2 touches drivers/misc/. A
timens Ack on 1/2 would let the series go through char-misc, or
both can go via tip. Either works.

Reproducer: unshare --user --time, monotonic offset -10s,
NTSYNC_IOC_WAIT_ANY with a 100 ms absolute MONOTONIC timeout.
Before, the run inside the namespace elapses about 0 ms. After,
about 100 ms. Full PoC and logs available on request.

I raised the export plan on linux-kernel on 2026-05-21 [2] and got
no reply, so I am sending the series for concrete review.

[1] https://lore.kernel.org/lkml/53921477.W1JGFHXlht@camazotz/
[2] https://lore.kernel.org/lkml/20260521153928.3724328-1-maoyixie.tju@gmail.com/

Maoyi Xie (2):
  time/namespace: export init_time_ns and do_timens_ktime_to_host
  ntsync: honour caller's time namespace for absolute MONOTONIC timeouts

 drivers/misc/ntsync.c   | 3 +++
 kernel/time/namespace.c | 2 ++
 2 files changed, 5 insertions(+)

-- 
2.34.1