If a watchdog driver tells the framework that the device is running,
the framework takes care of feeding the watchdog until userspace opens
the device. If the userspace application which is supposed to do that
never comes up properly, the watchdog is fed indefinitely by the
kernel. This can be especially problematic for embedded devices.
The existing handle_boot_enabled cmdline parameter/config option
partially solves that, but that is only usable for the subset of
hardware watchdogs that have (or can be configured by the bootloader
to have) a timeout that is sufficient to make it realistic for
userspace to come up. Many devices have timeouts of only a few
seconds, or even less, making handle_boot_enabled insufficient.
These patches allow one to set a maximum time for which the kernel
will feed the watchdog, thus ensuring that either userspace has come
up, or the board gets reset. This allows fallback logic in the
bootloader to attempt some recovery (for example, if an automatic
update is in progress, it could roll back to the previous version).
The patches have been tested on a Raspberry Pi 2 and a Wandboard.
Changes in v10: The open_timeout now only applies to the first open
from userspace. If userspace needs to close and re-open the watchdog
device (e.g. to re-exec itself), and wants the board to reset in case
it doesn't come back quickly enough, the open_timeout can easily be
emulated by combining nowayout with an appropriate WDIOC_SETTIMEOUT.
Changes in v9: Make the unit seconds instead of milliseconds.
Rasmus Villemoes (3):
watchdog: introduce watchdog.open_timeout commandline parameter
watchdog: introduce CONFIG_WATCHDOG_OPEN_TIMEOUT
watchdog: make the device time out at open_deadline when open_timeout
is used
.../watchdog/watchdog-parameters.txt | 8 ++++
drivers/watchdog/Kconfig | 9 ++++
drivers/watchdog/watchdog_dev.c | 48 ++++++++++++++++---
3 files changed, 59 insertions(+), 6 deletions(-)
--
2.20.1
