xref: /linux/Documentation/watchdog/watchdog-kernel-api.rst (revision bba2c3615bd6cfee7456d1130f2e6b01b3f4e9ba) 
1===============================================
2The Linux WatchDog Timer Driver Core kernel API
3===============================================
4
5Last reviewed: 12-Feb-2013
6
7Wim Van Sebroeck <wim@iguana.be>
8
9Introduction
10------------
11This document does not describe what a WatchDog Timer (WDT) Driver or Device is.
12It also does not describe the API which can be used by user space to communicate
13with a WatchDog Timer. If you want to know this then please read the following
14file: Documentation/watchdog/watchdog-api.rst .
15
16So what does this document describe? It describes the API that can be used by
17WatchDog Timer Drivers that want to use the WatchDog Timer Driver Core
18Framework. This framework provides all interfacing towards user space so that
19the same code does not have to be reproduced each time. This also means that
20a watchdog timer driver then only needs to provide the different routines
21(operations) that control the watchdog timer (WDT).
22
23The API
24-------
25Each watchdog timer driver that wants to use the WatchDog Timer Driver Core
26must #include <linux/watchdog.h> (you would have to do this anyway when
27writing a watchdog device driver). This include file contains following
28register/unregister routines::
29
30	extern int watchdog_register_device(struct watchdog_device *);
31	extern void watchdog_unregister_device(struct watchdog_device *);
32
33The watchdog_register_device routine registers a watchdog timer device.
34The parameter of this routine is a pointer to a watchdog_device structure.
35This routine returns zero on success and a negative errno code for failure.
36
37The watchdog_unregister_device routine deregisters a registered watchdog timer
38device. The parameter of this routine is the pointer to the registered
39watchdog_device structure.
40
41The watchdog subsystem includes a registration deferral mechanism,
42which allows you to register a watchdog as early as you wish during
43the boot process.
44
45There is also a resource-managed watchdog_register_device(),
46devm_watchdog_register_device(). If you use this to register a watchdog
47device, watchdog_unregister_device() is called automatically on driver
48detach::
49
50        int devm_watchdog_register_device(struct device *dev,
51				struct watchdog_device *wdd);
52
53The watchdog device structure looks like this::
54
55  struct watchdog_device {
56	int id;
57	struct device *parent;
58	const struct attribute_group **groups;
59	const struct watchdog_info *info;
60	const struct watchdog_ops *ops;
61	const struct watchdog_governor *gov;
62	unsigned int bootstatus;
63	unsigned int timeout;
64	unsigned int pretimeout;
65	unsigned int min_timeout;
66	unsigned int max_timeout;
67	unsigned int min_hw_heartbeat_ms;
68	unsigned int max_hw_heartbeat_ms;
69	struct notifier_block reboot_nb;
70	struct notifier_block restart_nb;
71	struct notifier_block pm_nb;
72	void *driver_data;
73	struct watchdog_core_data *wd_data;
74	unsigned long status;
75	struct list_head deferred;
76  };
77
78It contains the following fields:
79
80* id: set by watchdog_register_device, id 0 is special. It has both a
81  /dev/watchdog0 cdev (dynamic major, minor 0) as well as the old
82  /dev/watchdog miscdev. The id is set automatically when calling
83  watchdog_register_device.
84* parent: set this to the parent device (or NULL) before calling
85  watchdog_register_device.
86* groups: List of sysfs attribute groups to create when creating the watchdog
87  device.
88* info: a pointer to a watchdog_info structure. This structure gives some
89  additional information about the watchdog timer itself. (Like its unique name)
90* ops: a pointer to the list of watchdog operations that the watchdog supports.
91* gov: a pointer to the assigned watchdog device pretimeout governor or NULL.
92* timeout: the watchdog timer's timeout value (in seconds).
93  This is the time after which the system will reboot if user space does
94  not send a heartbeat request if WDOG_ACTIVE is set.
95* pretimeout: the watchdog timer's pretimeout value (in seconds).
96* min_timeout: the watchdog timer's minimum timeout value (in seconds).
97  If set, the minimum configurable value for 'timeout'.
98* max_timeout: the watchdog timer's maximum timeout value (in seconds),
99  as seen from userspace. If set, the maximum configurable value for
100  'timeout'. Not used if max_hw_heartbeat_ms is non-zero.
101* min_hw_heartbeat_ms: Hardware limit for minimum time between heartbeats,
102  in milli-seconds. This value is normally 0; it should only be provided
103  if the hardware can not tolerate lower intervals between heartbeats.
104* max_hw_heartbeat_ms: Maximum hardware heartbeat, in milli-seconds.
105  If set, the infrastructure will send heartbeats to the watchdog driver
106  if 'timeout' is larger than max_hw_heartbeat_ms, unless WDOG_ACTIVE
107  is set and userspace failed to send a heartbeat for at least 'timeout'
108  seconds. max_hw_heartbeat_ms must be set if a driver does not implement
109  the stop function.
110* reboot_nb: notifier block that is registered for reboot notifications, for
111  internal use only. If the driver calls watchdog_stop_on_reboot, watchdog core
112  will stop the watchdog on such notifications.
113* restart_nb: notifier block that is registered for machine restart, for
114  internal use only. If a watchdog is capable of restarting the machine, it
115  should define ops->restart. Priority can be changed through
116  watchdog_set_restart_priority.
117* pm_nb: coordinates watchdog_dev_suspend/resume to cancel a ping worker
118  during suspend and restore it during resume.
119* bootstatus: status of the device after booting (reported with watchdog
120  WDIOF_* status bits).
121* driver_data: a pointer to the drivers private data of a watchdog device.
122  This data should only be accessed via the watchdog_set_drvdata and
123  watchdog_get_drvdata routines.
124* wd_data: a pointer to watchdog core internal data.
125* status: this field contains a number of status bits that give extra
126  information about the status of the device (Like: is the watchdog timer
127  running/active, or is the nowayout bit set).
128* deferred: entry in wtd_deferred_reg_list which is used to
129  register early initialized watchdogs.
130
131The list of watchdog operations is defined as::
132
133  struct watchdog_ops {
134	struct module *owner;
135	/* mandatory operations */
136	int (*start)(struct watchdog_device *);
137	/* optional operations */
138	int (*stop)(struct watchdog_device *);
139	int (*ping)(struct watchdog_device *);
140	unsigned int (*status)(struct watchdog_device *);
141	int (*set_timeout)(struct watchdog_device *, unsigned int);
142	int (*set_pretimeout)(struct watchdog_device *, unsigned int);
143	unsigned int (*get_timeleft)(struct watchdog_device *);
144	int (*restart)(struct watchdog_device *);
145	long (*ioctl)(struct watchdog_device *, unsigned int, unsigned long);
146  };
147
148It is important that you first define the module owner of the watchdog timer
149driver's operations. This module owner will be used to lock the module when
150the watchdog is active. (This to avoid a system crash when you unload the
151module and /dev/watchdog is still open).
152
153Some operations are mandatory and some are optional. The mandatory operations
154are:
155
156* start: this is a pointer to the routine that starts the watchdog timer
157  device.
158  The routine needs a pointer to the watchdog timer device structure as a
159  parameter. It returns zero on success or a negative errno code for failure.
160
161Not all watchdog timer hardware supports the same functionality. That's why
162all other routines/operations are optional. They only need to be provided if
163they are supported. These optional routines/operations are:
164
165* stop: with this routine the watchdog timer device is being stopped.
166
167  The routine needs a pointer to the watchdog timer device structure as a
168  parameter. It returns zero on success or a negative errno code for failure.
169  Some watchdog timer hardware can only be started and not be stopped. A
170  driver supporting such hardware does not have to implement the stop routine.
171
172  If a driver has no stop function, the watchdog core will set WDOG_HW_RUNNING
173  and start calling the driver's keepalive pings function after the watchdog
174  device is closed.
175
176  If a watchdog driver does not implement the stop function, it must set
177  max_hw_heartbeat_ms.
178* ping: this is the routine that sends a keepalive ping to the watchdog timer
179  hardware.
180
181  The routine needs a pointer to the watchdog timer device structure as a
182  parameter. It returns zero on success or a negative errno code for failure.
183
184  Most hardware that does not support this as a separate function uses the
185  start function to restart the watchdog timer hardware. And that's also what
186  the watchdog timer driver core does: to send a keepalive ping to the watchdog
187  timer hardware it will either use the ping operation (when available) or the
188  start operation (when the ping operation is not available).
189
190  (Note: the WDIOC_KEEPALIVE ioctl call will only be active when the
191  WDIOF_KEEPALIVEPING bit has been set in the option field on the watchdog's
192  info structure).
193* status: this routine checks the status of the watchdog timer device. The
194  status of the device is reported with watchdog WDIOF_* status flags/bits.
195
196  WDIOF_MAGICCLOSE and WDIOF_KEEPALIVEPING are reported by the watchdog core;
197  it is not necessary to report those bits from the driver. Also, if no status
198  function is provided by the driver, the watchdog core reports the status bits
199  provided in the bootstatus variable of struct watchdog_device.
200
201* set_timeout: this routine checks and changes the timeout of the watchdog
202  timer device. It returns 0 on success, -EINVAL for "parameter out of range"
203  and -EIO for "could not write value to the watchdog". On success this
204  routine should set the timeout value of the watchdog_device to the
205  achieved timeout value (which may be different from the requested one
206  because the watchdog does not necessarily have a 1 second resolution).
207
208  Drivers implementing max_hw_heartbeat_ms set the hardware watchdog heartbeat
209  to the minimum of timeout and max_hw_heartbeat_ms. Those drivers set the
210  timeout value of the watchdog_device either to the requested timeout value
211  (if it is larger than max_hw_heartbeat_ms), or to the achieved timeout value.
212  (Note: the WDIOF_SETTIMEOUT needs to be set in the options field of the
213  watchdog's info structure).
214
215  If the watchdog driver does not have to perform any action but setting the
216  watchdog_device.timeout, this callback can be omitted.
217
218  If set_timeout is not provided but WDIOF_SETTIMEOUT is set, the watchdog
219  infrastructure updates the timeout value of the watchdog_device internally
220  to the requested value.
221
222  If the pretimeout feature is used (WDIOF_PRETIMEOUT), then set_timeout must
223  also take care of checking if pretimeout is still valid and set up the timer
224  accordingly. This can't be done in the core without races, so it is the
225  duty of the driver.
226* set_pretimeout: this routine checks and changes the pretimeout value of
227  the watchdog. It is optional because not all watchdogs support pretimeout
228  notification. The timeout value is not an absolute time, but the number of
229  seconds before the actual timeout would happen. It returns 0 on success,
230  -EINVAL for "parameter out of range" and -EIO for "could not write value to
231  the watchdog". A value of 0 disables pretimeout notification.
232
233  (Note: the WDIOF_PRETIMEOUT needs to be set in the options field of the
234  watchdog's info structure.)
235
236  If the watchdog driver does not have to perform any action but setting the
237  watchdog_device.pretimeout, this callback can be omitted. That means if
238  set_pretimeout is not provided but WDIOF_PRETIMEOUT is set, the watchdog
239  infrastructure updates the pretimeout value of the watchdog_device internally
240  to the requested value.
241
242* get_timeleft: this routines returns the time that's left before a reset.
243* restart: this routine restarts the machine. It returns 0 on success or a
244  negative errno code for failure.
245* ioctl: if this routine is present then it will be called first before we do
246  our own internal ioctl call handling. This routine should return -ENOIOCTLCMD
247  if a command is not supported. The parameters that are passed to the ioctl
248  call are: watchdog_device, cmd and arg.
249
250The status bits should (preferably) be set with the set_bit and clear_bit alike
251bit-operations. The status bits that are defined are:
252
253* WDOG_ACTIVE: this status bit indicates whether a watchdog timer device
254  is active or not from user perspective. User space is expected to send
255  heartbeat requests to the driver while this flag is set.
256* WDOG_NO_WAY_OUT: this bit stores the nowayout setting for the watchdog.
257  If this bit is set then the watchdog timer will not be able to stop.
258* WDOG_HW_RUNNING: Set by the watchdog driver if the hardware watchdog is
259  running. The bit must be set if the watchdog timer hardware can not be
260  stopped. The bit may also be set if the watchdog timer is running after
261  booting, before the watchdog device is opened. If set, the watchdog
262  infrastructure will send keepalives to the watchdog hardware while
263  WDOG_ACTIVE is not set.
264  Note: when you register the watchdog timer device with this bit set,
265  then opening /dev/watchdog will skip the start operation but send a keepalive
266  request instead.
267
268Helper Functions
269~~~~~~~~~~~~~~~~
270
271  To set the WDOG_NO_WAY_OUT status bit (before registering your watchdog
272  timer device) you can either:
273
274  * set it statically in your struct watchdog_device with
275
276	.status = WATCHDOG_NOWAYOUT_INIT_STATUS,
277
278    (this will set the value the same as CONFIG_WATCHDOG_NOWAYOUT) or
279  * use the following helper function::
280
281	static inline void watchdog_set_nowayout(struct watchdog_device *wdd,
282						 int nowayout)
283
284Note:
285   The WatchDog Timer Driver Core supports the magic close feature and
286   the nowayout feature. To use the magic close feature you must set the
287   WDIOF_MAGICCLOSE bit in the options field of the watchdog's info structure.
288
289The nowayout feature will overrule the magic close feature.
290
291To get or set driver specific data the following two helper functions should be
292used::
293
294  static inline void watchdog_set_drvdata(struct watchdog_device *wdd,
295					  void *data)
296  static inline void *watchdog_get_drvdata(struct watchdog_device *wdd)
297
298The watchdog_set_drvdata function allows you to add driver specific data. The
299arguments of this function are the watchdog device where you want to add the
300driver specific data to and a pointer to the data itself.
301
302The watchdog_get_drvdata function allows you to retrieve driver specific data.
303The argument of this function is the watchdog device where you want to retrieve
304data from. The function returns the pointer to the driver specific data.
305
306To initialize the timeout field, the following function can be used::
307
308  extern int watchdog_init_timeout(struct watchdog_device *wdd,
309                                   unsigned int timeout_parm,
310                                   const struct device *dev);
311
312The watchdog_init_timeout function allows you to initialize the timeout field
313using the module timeout parameter or by retrieving the timeout-sec property from
314the device tree (if the module timeout parameter is invalid). Best practice is
315to set the default timeout value as timeout value in the watchdog_device and
316then use this function to set the user "preferred" timeout value.
317This routine returns zero on success and a negative errno code for failure.
318
319To disable the watchdog on reboot, the user must call the following helper::
320
321  static inline void watchdog_stop_on_reboot(struct watchdog_device *wdd);
322
323To disable the watchdog when unregistering the watchdog, the user must call
324the following helper. Note that this will only stop the watchdog if the
325nowayout flag is not set.
326
327::
328
329  static inline void watchdog_stop_on_unregister(struct watchdog_device *wdd);
330
331To change the priority of the restart handler the following helper should be
332used::
333
334  void watchdog_set_restart_priority(struct watchdog_device *wdd, int priority);
335
336User should follow the following guidelines for setting the priority:
337
338* 0: should be called in last resort, has limited restart capabilities
339* 128: default restart handler, use if no other handler is expected to be
340  available, and/or if restart is sufficient to restart the entire system
341* 255: highest priority, will preempt all other restart handlers
342
343To raise a pretimeout notification, the following function should be used::
344
345  void watchdog_notify_pretimeout(struct watchdog_device *wdd)
346
347The function can be called in the interrupt context. If watchdog pretimeout
348governor framework (kconfig CONFIG_WATCHDOG_PRETIMEOUT_GOV symbol) is enabled,
349an action is taken by a preconfigured pretimeout governor preassigned to
350the watchdog device. If watchdog pretimeout governor framework is not
351enabled, watchdog_notify_pretimeout() prints a notification message to
352the kernel log buffer.
353
354To set the last known HW keepalive time for a watchdog, the following function
355should be used::
356
357  int watchdog_set_last_hw_keepalive(struct watchdog_device *wdd,
358                                     unsigned int last_ping_ms)
359
360This function must be called immediately after watchdog registration. It
361sets the last known hardware heartbeat to have happened last_ping_ms before
362current time. Calling this is only needed if the watchdog is already running
363when probe is called, and the watchdog can only be pinged after the
364min_hw_heartbeat_ms time has passed from the last ping.
365