diff options
| author | Hans de Goede <hdegoede@redhat.com> | 2012-05-22 05:40:26 -0400 |
|---|---|---|
| committer | Wim Van Sebroeck <wim@iguana.be> | 2012-05-30 01:55:31 -0400 |
| commit | e907df32725204d6d2cb79b872529911c8eadcdf (patch) | |
| tree | 3e90c58ea0ee9c2d77c1c4b0854dc046f6efb6a0 /Documentation/watchdog | |
| parent | f4e9c82f64b524314a390b13d3ba7d483f09258f (diff) | |
watchdog: Add support for dynamically allocated watchdog_device structs
If a driver's watchdog_device struct is part of a dynamically allocated
struct (which it often will be), merely locking the module is not enough,
even with a drivers module locked, the driver can be unbound from the device,
examples:
1) The root user can unbind it through sysfd
2) The i2c bus master driver being unloaded for an i2c watchdog
I will gladly admit that these are corner cases, but we still need to handle
them correctly.
The fix for this consists of 2 parts:
1) Add ref / unref operations, so that the driver can refcount the struct
holding the watchdog_device struct and delay freeing it until any
open filehandles referring to it are closed
2) Most driver operations will do IO on the device and the driver should not
do any IO on the device after it has been unbound. Rather then letting each
driver deal with this internally, it is better to ensure at the watchdog
core level that no operations (other then unref) will get called after
the driver has called watchdog_unregister_device(). This actually is the
bulk of this patch.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Wim Van Sebroeck <wim@iguana.be>
Diffstat (limited to 'Documentation/watchdog')
| -rw-r--r-- | Documentation/watchdog/watchdog-kernel-api.txt | 28 |
1 files changed, 27 insertions, 1 deletions
diff --git a/Documentation/watchdog/watchdog-kernel-api.txt b/Documentation/watchdog/watchdog-kernel-api.txt index 08d34e11bc54..086638f6c82d 100644 --- a/Documentation/watchdog/watchdog-kernel-api.txt +++ b/Documentation/watchdog/watchdog-kernel-api.txt | |||
| @@ -1,6 +1,6 @@ | |||
| 1 | The Linux WatchDog Timer Driver Core kernel API. | 1 | The Linux WatchDog Timer Driver Core kernel API. |
| 2 | =============================================== | 2 | =============================================== |
| 3 | Last reviewed: 21-May-2012 | 3 | Last reviewed: 22-May-2012 |
| 4 | 4 | ||
| 5 | Wim Van Sebroeck <wim@iguana.be> | 5 | Wim Van Sebroeck <wim@iguana.be> |
| 6 | 6 | ||
| @@ -93,6 +93,8 @@ struct watchdog_ops { | |||
| 93 | unsigned int (*status)(struct watchdog_device *); | 93 | unsigned int (*status)(struct watchdog_device *); |
| 94 | int (*set_timeout)(struct watchdog_device *, unsigned int); | 94 | int (*set_timeout)(struct watchdog_device *, unsigned int); |
| 95 | unsigned int (*get_timeleft)(struct watchdog_device *); | 95 | unsigned int (*get_timeleft)(struct watchdog_device *); |
| 96 | void (*ref)(struct watchdog_device *); | ||
| 97 | void (*unref)(struct watchdog_device *); | ||
| 96 | long (*ioctl)(struct watchdog_device *, unsigned int, unsigned long); | 98 | long (*ioctl)(struct watchdog_device *, unsigned int, unsigned long); |
| 97 | }; | 99 | }; |
| 98 | 100 | ||
| @@ -100,6 +102,21 @@ It is important that you first define the module owner of the watchdog timer | |||
| 100 | driver's operations. This module owner will be used to lock the module when | 102 | driver's operations. This module owner will be used to lock the module when |
| 101 | the watchdog is active. (This to avoid a system crash when you unload the | 103 | the watchdog is active. (This to avoid a system crash when you unload the |
| 102 | module and /dev/watchdog is still open). | 104 | module and /dev/watchdog is still open). |
| 105 | |||
| 106 | If the watchdog_device struct is dynamically allocated, just locking the module | ||
| 107 | is not enough and a driver also needs to define the ref and unref operations to | ||
| 108 | ensure the structure holding the watchdog_device does not go away. | ||
| 109 | |||
| 110 | The simplest (and usually sufficient) implementation of this is to: | ||
| 111 | 1) Add a kref struct to the same structure which is holding the watchdog_device | ||
| 112 | 2) Define a release callback for the kref which frees the struct holding both | ||
| 113 | 3) Call kref_init on this kref *before* calling watchdog_register_device() | ||
| 114 | 4) Define a ref operation calling kref_get on this kref | ||
| 115 | 5) Define a unref operation calling kref_put on this kref | ||
| 116 | 6) When it is time to cleanup: | ||
| 117 | * Do not kfree() the struct holding both, the last kref_put will do this! | ||
| 118 | * *After* calling watchdog_unregister_device() call kref_put on the kref | ||
| 119 | |||
| 103 | Some operations are mandatory and some are optional. The mandatory operations | 120 | Some operations are mandatory and some are optional. The mandatory operations |
| 104 | are: | 121 | are: |
| 105 | * start: this is a pointer to the routine that starts the watchdog timer | 122 | * start: this is a pointer to the routine that starts the watchdog timer |
| @@ -140,6 +157,10 @@ they are supported. These optional routines/operations are: | |||
| 140 | (Note: the WDIOF_SETTIMEOUT needs to be set in the options field of the | 157 | (Note: the WDIOF_SETTIMEOUT needs to be set in the options field of the |
| 141 | watchdog's info structure). | 158 | watchdog's info structure). |
| 142 | * get_timeleft: this routines returns the time that's left before a reset. | 159 | * get_timeleft: this routines returns the time that's left before a reset. |
| 160 | * ref: the operation that calls kref_get on the kref of a dynamically | ||
| 161 | allocated watchdog_device struct. | ||
| 162 | * unref: the operation that calls kref_put on the kref of a dynamically | ||
| 163 | allocated watchdog_device struct. | ||
| 143 | * ioctl: if this routine is present then it will be called first before we do | 164 | * ioctl: if this routine is present then it will be called first before we do |
| 144 | our own internal ioctl call handling. This routine should return -ENOIOCTLCMD | 165 | our own internal ioctl call handling. This routine should return -ENOIOCTLCMD |
| 145 | if a command is not supported. The parameters that are passed to the ioctl | 166 | if a command is not supported. The parameters that are passed to the ioctl |
| @@ -159,6 +180,11 @@ bit-operations. The status bits that are defined are: | |||
| 159 | (This bit should only be used by the WatchDog Timer Driver Core). | 180 | (This bit should only be used by the WatchDog Timer Driver Core). |
| 160 | * WDOG_NO_WAY_OUT: this bit stores the nowayout setting for the watchdog. | 181 | * WDOG_NO_WAY_OUT: this bit stores the nowayout setting for the watchdog. |
| 161 | If this bit is set then the watchdog timer will not be able to stop. | 182 | If this bit is set then the watchdog timer will not be able to stop. |
| 183 | * WDOG_UNREGISTERED: this bit gets set by the WatchDog Timer Driver Core | ||
| 184 | after calling watchdog_unregister_device, and then checked before calling | ||
| 185 | any watchdog_ops, so that you can be sure that no operations (other then | ||
| 186 | unref) will get called after unregister, even if userspace still holds a | ||
| 187 | reference to /dev/watchdog | ||
| 162 | 188 | ||
| 163 | To set the WDOG_NO_WAY_OUT status bit (before registering your watchdog | 189 | To set the WDOG_NO_WAY_OUT status bit (before registering your watchdog |
| 164 | timer device) you can either: | 190 | timer device) you can either: |