If a watchdog driver tells the framework that the device is running,
the framework takes care of feeding the watchdog until userspace opens
the device. If the userspace application which is supposed to do that
never comes up properly, the watchdog is fed indefinitely by the
kernel. This can be especially problematic for embedded devices.
The existing handle_boot_enabled cmdline parameter/config option
partially solves that, but that is only usable for the subset of
hardware watchdogs that have (or can be configured by the bootloader
to have) a timeout that is sufficient to make it realistic for
userspace to come up. Many devices have timeouts of a second, or even
less, making handle_boot_enabled insufficient.
These patches allow one to set a maximum time for which the kernel
will feed the watchdog, thus ensuring that either userspace has come
up, or the board gets reset. This allows fallback logic in the
bootloader to attempt some recovery (for example, if an automatic
update is in progress, it could roll back to the previous version).
The patches have been tested on a Raspberry Pi 2 and a Wandboard.
A preparatory patch of this series has already been merged
(c013b65ad8a1e "watchdog: introduce watchdog_worker_should_ping
helper"). On 2017-07-08, Guenter wrote [1]
It is sufficiently different to handle_boot_enabled to keep it
separate. I am mostly ok with the patch. One comment below.
That one comment (regarding the placement of the module_param) has
been addressed in this version.
There has been some opposition to making the default value of
watchdog.open_timeout configurable in Kconfig, but in [2] Guenter said
I used to be opposed to it, but it does seem to make some sense to
me now after thinking about it.
I do hope that these patches can now find their way into the kernel,
but if 2/2 is somehow still controversial, please consider just taking
1/2. (I can't help but noting that handle_boot_enabled does get its
default value from Kconfig, and nobody complained about that when that
option was added).
[1] https://patchwork.kernel.org/patch/9754095/
[2] https://patchwork.kernel.org/patch/9754093/
Rasmus Villemoes (2):
watchdog: introduce watchdog.open_timeout commandline parameter
watchdog: introduce CONFIG_WATCHDOG_OPEN_TIMEOUT
Documentation/watchdog/watchdog-parameters.txt | 9 +++++++++
drivers/watchdog/Kconfig | 9 +++++++++
drivers/watchdog/watchdog_dev.c | 27 +++++++++++++++++++++++++-
3 files changed, 44 insertions(+), 1 deletion(-)
--
2.7.4
From 1585347315545683087@xxx Tue Nov 28 21:36:57 +0000 2017
X-GM-THRID: 1585347315545683087
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread
This allows setting a default value for the watchdog.open_timeout
commandline parameter via Kconfig.
Some BSPs allow remote updating of the kernel image and root file
system, but updating the bootloader requires physical access. Hence, if
one has a firmware update that requires relaxing the
watchdog.open_timeout a little, the value used must be baked into the
kernel image itself and cannot come from the u-boot environment via the
kernel command line.
Being able to set the initial value in .config doesn't change the fact
that the value on the command line, if present, takes precedence, and is
of course immensely useful for development purposes while one has
console acccess, as well as usable in the cases where one can make a
permanent update of the kernel command line.
Signed-off-by: Rasmus Villemoes <[email protected]>
Reviewed-by: Esben Haabendal <[email protected]>
---
Documentation/watchdog/watchdog-parameters.txt | 3 ++-
drivers/watchdog/Kconfig | 9 +++++++++
drivers/watchdog/watchdog_dev.c | 2 +-
3 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/Documentation/watchdog/watchdog-parameters.txt b/Documentation/watchdog/watchdog-parameters.txt
index 5363bf3..60dd2be 100644
--- a/Documentation/watchdog/watchdog-parameters.txt
+++ b/Documentation/watchdog/watchdog-parameters.txt
@@ -11,7 +11,8 @@ modules.
The watchdog core parameter watchdog.open_timeout is the maximum time,
in milliseconds, for which the watchdog framework will take care of
pinging a hardware watchdog until userspace opens the corresponding
-/dev/watchdogN device. A value of 0 (the default) means an infinite
+/dev/watchdogN device. The defalt value is
+CONFIG_WATCHDOG_OPEN_TIMEOUT. A value of 0 means an infinite
timeout. Setting this to a non-zero value can be useful to ensure that
either userspace comes up properly, or the board gets reset and allows
fallback logic in the bootloader to try something else.
diff --git a/drivers/watchdog/Kconfig b/drivers/watchdog/Kconfig
index ca200d1..a142e1e 100644
--- a/drivers/watchdog/Kconfig
+++ b/drivers/watchdog/Kconfig
@@ -63,6 +63,15 @@ config WATCHDOG_SYSFS
Say Y here if you want to enable watchdog device status read through
sysfs attributes.
+config WATCHDOG_OPEN_TIMEOUT
+ int "Timeout value for opening watchdog device"
+ default 0
+ help
+ The maximum time, in milliseconds, for which the watchdog
+ framework takes care of pinging a hardware watchdog. A value
+ of 0 means infinite. The value set here can be overridden by
+ the commandline parameter "watchdog.open_timeout".
+
#
# General Watchdog drivers
#
diff --git a/drivers/watchdog/watchdog_dev.c b/drivers/watchdog/watchdog_dev.c
index b4985db..9f18952 100644
--- a/drivers/watchdog/watchdog_dev.c
+++ b/drivers/watchdog/watchdog_dev.c
@@ -84,7 +84,7 @@ static struct workqueue_struct *watchdog_wq;
static bool handle_boot_enabled =
IS_ENABLED(CONFIG_WATCHDOG_HANDLE_BOOT_ENABLED);
-static unsigned open_timeout;
+static unsigned open_timeout = CONFIG_WATCHDOG_OPEN_TIMEOUT;
static bool watchdog_past_open_deadline(struct watchdog_core_data *data)
{
--
2.7.4
From 1584411652675779046@xxx Sat Nov 18 13:44:59 +0000 2017
X-GM-THRID: 1584411652675779046
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread