Re: io_uring: should IORING_TIMEOUT_ABS honour the submitter's time namespace?

[Jens Axboe]

On 5/3/26 9:12 AM, Xie Maoyi wrote:
> On <5/2/26>, Maoyi Xie wrote (correcting my own earlier reply):
>> Under SQPOLL, the parse path runs in the SQPOLL kernel thread. That
>> thread is in the initial time namespace. So timens_ktime_to_host()
>> through "current" silently misses the offset for SQPOLL submitters.
> 
> Apologies, that paragraph in my previous reply was wrong. I have
> tested it.
> 
> Vanilla v7.0, SQPOLL ring inside a fresh CLONE_NEWTIME with a -10s
> monotonic offset, ABS deadline = now + 1s:
> 
>     [child] SQPOLL TIMEOUT_ABS elapsed=1 ms (bug fires immediately)
> 
> Same kernel with your conversion logic applied:
> 
>     [child] SQPOLL TIMEOUT_ABS elapsed=1000 ms (offset honoured)
> 
> The reason is in create_io_thread(). It is called with CLONE_THREAD
> and no CLONE_NEW* flag. copy_namespaces() therefore shares the
> submitter's nsproxy by reference rather than allocating a fresh one.
> Inside the SQPOLL kthread current->nsproxy->time_ns is the submitter's
> time_ns. timens_ktime_to_host() resolves correctly. So the SQPOLL
> follow-up I floated is unnecessary, your draft covers both paths.
> 
> While verifying SQPOLL, I also noticed io_uring/wait.c around lines
> 230-234. The IORING_ENTER_ABS_TIMER path on io_uring_enter() parses
> ext_arg->ts inline rather than going through io_parse_user_time, so it
> does not pick up your fix. Same shape of bug, separate code path. PoC
> on vanilla shows elapsed = 1 ms, patched shows ~1000 ms. I can send
> the small follow-up patch for that path as a separate thread once your
> IORING_OP_TIMEOUT side has landed, or fold it into the same series.
> Whichever you prefer.

Might make sense to refactor a helper that does the time translation,
and then patch 1 would basically be Pavel's fix and patch 2 would be
sorting out the io_cqring_wait() translation as well. Both should be
able to use the refactored helper.

-- 
Jens Axboe