第一次遇到看门狗芯片是通过切换电平信号来喂狗，如 SGM706 芯片，之前也比较少会用到看门狗芯片。原本打算参考 sunxi-wdt.c 的框架，利用定时器自己写一个，无意中发现内核已经有 gpio_wdt.c 驱动程序，其原理也是通过内核定时器实现喂狗。因其使用了 of_get_gpio_flags() 接口获取 GPIO 信息，和 gpio-keys.c 驱动一样，该接口存在内存越界的问题，需要略作修改才能使用。

内核配置

内核版本：Linux 4.9

make ARCH=arm64 menuconfig

Device Drivers  --->
	[*] Watchdog Timer Support  --->
		<*>   LED Support for GPIO connected LEDs 
			<*>   Watchdog device controlled through GPIO-line

配置文件

sys_config.fex

全志平台便捷方式配置，不过新平台不再支持 sys_config.fex了，也可以使用通用的 dts 配置方式

;----------------------------------------------------------------------------------
;gpio-wdt parameters
;compatible: 匹配平台驱动
;hw_algo: 清除看门狗计数方式：切换方式(toggle)或脉冲方式(level)
;hw_margin_ms: 看门狗电路会触发复位的最长时间(毫秒)，不能小于 2 或者大于 65535
;always-running: 如果看门狗不能关闭，使能后驱动默认会自动喂狗，在应用层调用 STOP 接口不会执行关闭
;gpios: 连接看门狗芯片 WDI 的引脚
;----------------------------------------------------------------------------------
[wdt-gpio]
compatible = "linux,wdt-gpio"
hw_algo = "level"
hw_margin_ms = 1600
always-running = "true"
gpios = port:PL12<1><default><default><default>

配置选项说明：linux-4.9\Documentation\devicetree\bindings\watchdog\gpio_wdt.txt

* GPIO-controlled Watchdog

Required Properties:
- compatible: Should contain "linux,wdt-gpio".
- gpios: From common gpio binding; gpio connection to WDT reset pin.
- hw_algo: The algorithm used by the driver. Should be one of the
  following values:
  - toggle: Either a high-to-low or a low-to-high transition clears
    the WDT counter. The watchdog timer is disabled when GPIO is
    left floating or connected to a three-state buffer.
  - level: Low or high level starts counting WDT timeout,
    the opposite level disables the WDT. Active level is determined
    by the GPIO flags.
- hw_margin_ms: Maximum time to reset watchdog circuit (milliseconds).

Optional Properties:
- always-running: If the watchdog timer cannot be disabled, add this flag to
  have the driver keep toggling the signal without a client. It will only cease
  to toggle the signal when the device is open and the timeout elapsed.

Example:
	watchdog: watchdog {
		/* ADM706 */
		compatible = "linux,wdt-gpio";
		gpios = <&gpio3 9 GPIO_ACTIVE_LOW>;
		hw_algo = "toggle";
		hw_margin_ms = <1600>;
	};

内存越界

日志信息

[    3.727333] sunxi-wdt 1c20ca0.watchdog: Watchdog enabled (timeout=16 sec, nowayout=0)
[    3.736874] of_get_named_gpiod_flags: parsed 'gpios' property of node '/soc@01c00000/wdt-gpio[0]' - status (0)
[    3.748392] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffff8008655044
[    3.748392] 
[    3.760564] CPU: 2 PID: 1 Comm: swapper/0 Not tainted 4.9.56 #179
[    3.767382] Hardware name: sun50iw1 (DT)
[    3.771771] Call trace:
[    3.774522] [<ffffff800808a7d4>] dump_backtrace+0x0/0x22c
[    3.780566] [<ffffff800808aa24>] show_stack+0x24/0x30
[    3.786226] [<ffffff80083c9a64>] dump_stack+0x8c/0xb0
[    3.791880] [<ffffff80081a5960>] panic+0x14c/0x298
[    3.797247] [<ffffff80080a19d0>] print_tainted+0x0/0xa8
[    3.803099] [<ffffff8008655044>] gpio_wdt_probe+0x230/0x258
[    3.809338] [<ffffff80084b3e9c>] platform_drv_probe+0x60/0xac
[    3.815770] [<ffffff80084b1a6c>] driver_probe_device+0x1b8/0x3d4
[    3.822493] [<ffffff80084b1d1c>] __driver_attach+0x94/0x108
[    3.828729] [<ffffff80084af68c>] bus_for_each_dev+0x88/0xc8
[    3.834964] [<ffffff80084b1374>] driver_attach+0x30/0x3c
[    3.840908] [<ffffff80084b0d24>] bus_add_driver+0xf8/0x24c
[    3.847046] [<ffffff80084b2a74>] driver_register+0x9c/0xe8
[    3.853186] [<ffffff80084b3de0>] __platform_driver_register+0x5c/0x68
[    3.860400] [<ffffff8008d48a20>] gpio_wdt_driver_init+0x18/0x20
[    3.867026] [<ffffff8008083a2c>] do_one_initcall+0xb0/0x14c
[    3.873267] [<ffffff8008d10d64>] kernel_init_freeable+0x14c/0x1e8
[    3.880093] [<ffffff8008970724>] kernel_init+0x18/0x104
[    3.885941] [<ffffff8008083050>] ret_from_fork+0x10/0x40
[    3.891884] SMP: stopping secondary CPUs
[    3.896276] Kernel Offset: disabled
[    3.900178] Memory Limit: none
[    3.909173] Rebooting in 5 seconds..

解决补丁

--- linux-4.9\drivers\watchdog\gpio_wdt.c	2022-09-13 17:51:57.000000000 +0800
+++ linux-4.9\drivers\watchdog\gpio_wdt.c	2022-09-13 17:51:37.000000000 +0800
@@ -12,12 +12,13 @@
 #include <linux/err.h>
 #include <linux/delay.h>
 #include <linux/module.h>
 #include <linux/of_gpio.h>
 #include <linux/platform_device.h>
 #include <linux/watchdog.h>
+#include <linux/sunxi-gpio.h>
 
 #define SOFT_TIMEOUT_MIN	1
 #define SOFT_TIMEOUT_DEF	60
 #define SOFT_TIMEOUT_MAX	0xffff
 
 enum {
@@ -138,29 +139,29 @@
 	.set_timeout	= gpio_wdt_set_timeout,
 };
 
 static int gpio_wdt_probe(struct platform_device *pdev)
 {
 	struct gpio_wdt_priv *priv;
-	enum of_gpio_flags flags;
+	struct gpio_config gpio_flags;
 	unsigned int hw_margin;
 	unsigned long f = 0;
 	const char *algo;
 	int ret;
 
 	priv = devm_kzalloc(&pdev->dev, sizeof(*priv), GFP_KERNEL);
 	if (!priv)
 		return -ENOMEM;
 
 	platform_set_drvdata(pdev, priv);
 
-	priv->gpio = of_get_gpio_flags(pdev->dev.of_node, 0, &flags);
+	priv->gpio = of_get_gpio_flags(pdev->dev.of_node, 0, (enum of_gpio_flags *)&gpio_flags);
 	if (!gpio_is_valid(priv->gpio))
 		return priv->gpio;
 
-	priv->active_low = flags & OF_GPIO_ACTIVE_LOW;
+	priv->active_low = gpio_flags.data & OF_GPIO_ACTIVE_LOW;
 
 	ret = of_property_read_string(pdev->dev.of_node, "hw_algo", &algo);
 	if (ret)
 		return ret;
 	if (!strcmp(algo, "toggle")) {
 		priv->hw_algo = HW_ALGO_TOGGLE;

原因分析

1. gpio_wdt 驱动使用 of_get_gpio_flags() 获取 dts 里面 gpio 配置信息。
2. 但是 of_get_gpio_flags() 传入 enum of_gpio_flags 类型来获取配置信息。
3. of_get_gpio_flags() 的最终实现由具体的 SOC 厂商实现，这里是全志厂商实现。
4. 实现的函数为：drivers/pinctrl/sunxi/pinctrl-sunxi.c --> sunxi_pinctrl_gpio_of_xlate()。
5. 在 sunxi_pinctrl_gpio_of_xlate() 却是通过强制转换 struct gpio_config 类型存储 gpio 配置信息。
6. enum of_gpio_flags 占用 4 字节，而 struct gpio_config 占用 20 字节，出现内存越界操作的问题。

// include/linux/of_gpio.h
enum of_gpio_flags {		
	OF_GPIO_ACTIVE_LOW = 0x1,
	OF_GPIO_SINGLE_ENDED = 0x2,
}; // 4Byte

// include/linux/sunxi-gpio.h
struct gpio_config {
	u32	gpio;
	u32	mul_sel;
	u32	pull;
	u32	drv_level;
	u32	data;
}; // 20Byte

// drivers/pinctrl/sunxi/pinctrl-sunxi.c
static int sunxi_pinctrl_gpio_of_xlate(struct gpio_chip *gc,
				const struct of_phandle_args *gpiospec,
				u32 *flags)
{
	struct gpio_config *config;
	int pin, base;

	base = PINS_PER_BANK * gpiospec->args[0];
	pin = base + gpiospec->args[1];
	pin = pin - gc->base;
	if (pin > gc->ngpio)
		return -EINVAL;

	if (flags) {
		// 问题出在这个条件下面的赋值语句
		// 传进来的是 enum of_gpio_flags，只有 4Byte 
		// 结果使用的 struct gpio_config，却有 20Byte 
		config = (struct gpio_config *)flags;
		config->gpio = base + gpiospec->args[1];
		config->mul_sel = gpiospec->args[2];
		config->drv_level = gpiospec->args[3];
		config->pull = gpiospec->args[4];
		config->data = gpiospec->args[5];
	}

	return pin;
}