| The Linux WatchDog Timer Driver Core kernel API. |
| =============================================== |
| Last reviewed: 12-Feb-2013 |
| |
| Wim Van Sebroeck <wim@iguana.be> |
| |
| Introduction |
| ------------ |
| This document does not describe what a WatchDog Timer (WDT) Driver or Device is. |
| It also does not describe the API which can be used by user space to communicate |
| with a WatchDog Timer. If you want to know this then please read the following |
| file: Documentation/watchdog/watchdog-api.txt . |
| |
| So what does this document describe? It describes the API that can be used by |
| WatchDog Timer Drivers that want to use the WatchDog Timer Driver Core |
| Framework. This framework provides all interfacing towards user space so that |
| the same code does not have to be reproduced each time. This also means that |
| a watchdog timer driver then only needs to provide the different routines |
| (operations) that control the watchdog timer (WDT). |
| |
| The API |
| ------- |
| Each watchdog timer driver that wants to use the WatchDog Timer Driver Core |
| must #include <linux/watchdog.h> (you would have to do this anyway when |
| writing a watchdog device driver). This include file contains following |
| register/unregister routines: |
| |
| extern int watchdog_register_device(struct watchdog_device *); |
| extern void watchdog_unregister_device(struct watchdog_device *); |
| |
| The watchdog_register_device routine registers a watchdog timer device. |
| The parameter of this routine is a pointer to a watchdog_device structure. |
| This routine returns zero on success and a negative errno code for failure. |
| |
| The watchdog_unregister_device routine deregisters a registered watchdog timer |
| device. The parameter of this routine is the pointer to the registered |
| watchdog_device structure. |
| |
| The watchdog subsystem includes an registration deferral mechanism, |
| which allows you to register an watchdog as early as you wish during |
| the boot process. |
| |
| The watchdog device structure looks like this: |
| |
| struct watchdog_device { |
| int id; |
| struct cdev cdev; |
| struct device *dev; |
| struct device *parent; |
| const struct watchdog_info *info; |
| const struct watchdog_ops *ops; |
| unsigned int bootstatus; |
| unsigned int timeout; |
| unsigned int min_timeout; |
| unsigned int max_timeout; |
| struct notifier_block reboot_nb; |
| struct notifier_block restart_nb; |
| void *driver_data; |
| struct mutex lock; |
| unsigned long status; |
| struct list_head deferred; |
| }; |
| |
| It contains following fields: |
| * id: set by watchdog_register_device, id 0 is special. It has both a |
| /dev/watchdog0 cdev (dynamic major, minor 0) as well as the old |
| /dev/watchdog miscdev. The id is set automatically when calling |
| watchdog_register_device. |
| * cdev: cdev for the dynamic /dev/watchdog<id> device nodes. This |
| field is also populated by watchdog_register_device. |
| * dev: device under the watchdog class (created by watchdog_register_device). |
| * parent: set this to the parent device (or NULL) before calling |
| watchdog_register_device. |
| * info: a pointer to a watchdog_info structure. This structure gives some |
| additional information about the watchdog timer itself. (Like it's unique name) |
| * ops: a pointer to the list of watchdog operations that the watchdog supports. |
| * timeout: the watchdog timer's timeout value (in seconds). |
| * min_timeout: the watchdog timer's minimum timeout value (in seconds). |
| * max_timeout: the watchdog timer's maximum timeout value (in seconds). |
| * reboot_nb: notifier block that is registered for reboot notifications, for |
| internal use only. If the driver calls watchdog_stop_on_reboot, watchdog core |
| will stop the watchdog on such notifications. |
| * restart_nb: notifier block that is registered for machine restart, for |
| internal use only. If a watchdog is capable of restarting the machine, it |
| should define ops->restart. Priority can be changed through |
| watchdog_set_restart_priority. |
| * bootstatus: status of the device after booting (reported with watchdog |
| WDIOF_* status bits). |
| * driver_data: a pointer to the drivers private data of a watchdog device. |
| This data should only be accessed via the watchdog_set_drvdata and |
| watchdog_get_drvdata routines. |
| * lock: Mutex for WatchDog Timer Driver Core internal use only. |
| * status: this field contains a number of status bits that give extra |
| information about the status of the device (Like: is the watchdog timer |
| running/active, is the nowayout bit set, is the device opened via |
| the /dev/watchdog interface or not, ...). |
| * deferred: entry in wtd_deferred_reg_list which is used to |
| register early initialized watchdogs. |
| |
| The list of watchdog operations is defined as: |
| |
| struct watchdog_ops { |
| struct module *owner; |
| /* mandatory operations */ |
| int (*start)(struct watchdog_device *); |
| int (*stop)(struct watchdog_device *); |
| /* optional operations */ |
| int (*ping)(struct watchdog_device *); |
| unsigned int (*status)(struct watchdog_device *); |
| int (*set_timeout)(struct watchdog_device *, unsigned int); |
| unsigned int (*get_timeleft)(struct watchdog_device *); |
| int (*restart)(struct watchdog_device *); |
| void (*ref)(struct watchdog_device *); |
| void (*unref)(struct watchdog_device *); |
| long (*ioctl)(struct watchdog_device *, unsigned int, unsigned long); |
| }; |
| |
| It is important that you first define the module owner of the watchdog timer |
| driver's operations. This module owner will be used to lock the module when |
| the watchdog is active. (This to avoid a system crash when you unload the |
| module and /dev/watchdog is still open). |
| |
| If the watchdog_device struct is dynamically allocated, just locking the module |
| is not enough and a driver also needs to define the ref and unref operations to |
| ensure the structure holding the watchdog_device does not go away. |
| |
| The simplest (and usually sufficient) implementation of this is to: |
| 1) Add a kref struct to the same structure which is holding the watchdog_device |
| 2) Define a release callback for the kref which frees the struct holding both |
| 3) Call kref_init on this kref *before* calling watchdog_register_device() |
| 4) Define a ref operation calling kref_get on this kref |
| 5) Define a unref operation calling kref_put on this kref |
| 6) When it is time to cleanup: |
| * Do not kfree() the struct holding both, the last kref_put will do this! |
| * *After* calling watchdog_unregister_device() call kref_put on the kref |
| |
| Some operations are mandatory and some are optional. The mandatory operations |
| are: |
| * start: this is a pointer to the routine that starts the watchdog timer |
| device. |
| The routine needs a pointer to the watchdog timer device structure as a |
| parameter. It returns zero on success or a negative errno code for failure. |
| * stop: with this routine the watchdog timer device is being stopped. |
| The routine needs a pointer to the watchdog timer device structure as a |
| parameter. It returns zero on success or a negative errno code for failure. |
| Some watchdog timer hardware can only be started and not be stopped. The |
| driver supporting this hardware needs to make sure that a start and stop |
| routine is being provided. This can be done by using a timer in the driver |
| that regularly sends a keepalive ping to the watchdog timer hardware. |
| |
| Not all watchdog timer hardware supports the same functionality. That's why |
| all other routines/operations are optional. They only need to be provided if |
| they are supported. These optional routines/operations are: |
| * ping: this is the routine that sends a keepalive ping to the watchdog timer |
| hardware. |
| The routine needs a pointer to the watchdog timer device structure as a |
| parameter. It returns zero on success or a negative errno code for failure. |
| Most hardware that does not support this as a separate function uses the |
| start function to restart the watchdog timer hardware. And that's also what |
| the watchdog timer driver core does: to send a keepalive ping to the watchdog |
| timer hardware it will either use the ping operation (when available) or the |
| start operation (when the ping operation is not available). |
| (Note: the WDIOC_KEEPALIVE ioctl call will only be active when the |
| WDIOF_KEEPALIVEPING bit has been set in the option field on the watchdog's |
| info structure). |
| * status: this routine checks the status of the watchdog timer device. The |
| status of the device is reported with watchdog WDIOF_* status flags/bits. |
| * set_timeout: this routine checks and changes the timeout of the watchdog |
| timer device. It returns 0 on success, -EINVAL for "parameter out of range" |
| and -EIO for "could not write value to the watchdog". On success this |
| routine should set the timeout value of the watchdog_device to the |
| achieved timeout value (which may be different from the requested one |
| because the watchdog does not necessarily has a 1 second resolution). |
| (Note: the WDIOF_SETTIMEOUT needs to be set in the options field of the |
| watchdog's info structure). |
| * get_timeleft: this routines returns the time that's left before a reset. |
| * restart: this routine restarts the machine. It returns 0 on success or a |
| negative errno code for failure. |
| * ref: the operation that calls kref_get on the kref of a dynamically |
| allocated watchdog_device struct. |
| * unref: the operation that calls kref_put on the kref of a dynamically |
| allocated watchdog_device struct. |
| * ioctl: if this routine is present then it will be called first before we do |
| our own internal ioctl call handling. This routine should return -ENOIOCTLCMD |
| if a command is not supported. The parameters that are passed to the ioctl |
| call are: watchdog_device, cmd and arg. |
| |
| The status bits should (preferably) be set with the set_bit and clear_bit alike |
| bit-operations. The status bits that are defined are: |
| * WDOG_ACTIVE: this status bit indicates whether or not a watchdog timer device |
| is active or not. When the watchdog is active after booting, then you should |
| set this status bit (Note: when you register the watchdog timer device with |
| this bit set, then opening /dev/watchdog will skip the start operation) |
| * WDOG_DEV_OPEN: this status bit shows whether or not the watchdog device |
| was opened via /dev/watchdog. |
| (This bit should only be used by the WatchDog Timer Driver Core). |
| * WDOG_ALLOW_RELEASE: this bit stores whether or not the magic close character |
| has been sent (so that we can support the magic close feature). |
| (This bit should only be used by the WatchDog Timer Driver Core). |
| * WDOG_NO_WAY_OUT: this bit stores the nowayout setting for the watchdog. |
| If this bit is set then the watchdog timer will not be able to stop. |
| * WDOG_UNREGISTERED: this bit gets set by the WatchDog Timer Driver Core |
| after calling watchdog_unregister_device, and then checked before calling |
| any watchdog_ops, so that you can be sure that no operations (other then |
| unref) will get called after unregister, even if userspace still holds a |
| reference to /dev/watchdog |
| |
| To set the WDOG_NO_WAY_OUT status bit (before registering your watchdog |
| timer device) you can either: |
| * set it statically in your watchdog_device struct with |
| .status = WATCHDOG_NOWAYOUT_INIT_STATUS, |
| (this will set the value the same as CONFIG_WATCHDOG_NOWAYOUT) or |
| * use the following helper function: |
| static inline void watchdog_set_nowayout(struct watchdog_device *wdd, int nowayout) |
| |
| Note: The WatchDog Timer Driver Core supports the magic close feature and |
| the nowayout feature. To use the magic close feature you must set the |
| WDIOF_MAGICCLOSE bit in the options field of the watchdog's info structure. |
| The nowayout feature will overrule the magic close feature. |
| |
| To get or set driver specific data the following two helper functions should be |
| used: |
| |
| static inline void watchdog_set_drvdata(struct watchdog_device *wdd, void *data) |
| static inline void *watchdog_get_drvdata(struct watchdog_device *wdd) |
| |
| The watchdog_set_drvdata function allows you to add driver specific data. The |
| arguments of this function are the watchdog device where you want to add the |
| driver specific data to and a pointer to the data itself. |
| |
| The watchdog_get_drvdata function allows you to retrieve driver specific data. |
| The argument of this function is the watchdog device where you want to retrieve |
| data from. The function returns the pointer to the driver specific data. |
| |
| To initialize the timeout field, the following function can be used: |
| |
| extern int watchdog_init_timeout(struct watchdog_device *wdd, |
| unsigned int timeout_parm, struct device *dev); |
| |
| The watchdog_init_timeout function allows you to initialize the timeout field |
| using the module timeout parameter or by retrieving the timeout-sec property from |
| the device tree (if the module timeout parameter is invalid). Best practice is |
| to set the default timeout value as timeout value in the watchdog_device and |
| then use this function to set the user "preferred" timeout value. |
| This routine returns zero on success and a negative errno code for failure. |
| |
| To disable the watchdog on reboot, the user must call the following helper: |
| |
| static inline void watchdog_stop_on_reboot(struct watchdog_device *wdd); |
| |
| To change the priority of the restart handler the following helper should be |
| used: |
| |
| void watchdog_set_restart_priority(struct watchdog_device *wdd, int priority); |
| |
| User should follow the following guidelines for setting the priority: |
| * 0: should be called in last resort, has limited restart capabilities |
| * 128: default restart handler, use if no other handler is expected to be |
| available, and/or if restart is sufficient to restart the entire system |
| * 255: highest priority, will preempt all other restart handlers |