[PATCH] reboot: Backup orderly_poweroff

[PATCH] reboot: Backup orderly_poweroff

[Keerthy]

orderly_poweroff is triggered when a graceful shutdown
of system is desired. This may be used in many critical states of the
kernel such as when subsystems detects conditions such as critical
temperature conditions. However, in certain conditions in system
boot up sequences like those in the middle of driver probes being
initiated, userspace will be unable to power off the system in a clean
manner and leaves the system in a critical state. In cases like these,
the /sbin/poweroff will return success (having forked off to attempt
powering off the system. However, the system overall will fail to
completely poweroff (since other modules will be probed) and the system
is still functional with no userspace (since that would have shut itself
off).

However, there is no clean way of detecting such failure of userspace
powering off the system. In such scenarios, it is necessary for a backup
workqueue to be able to force a shutdown of the system when orderly
shutdown is not successful after a configurable time period.

Signed-off-by: Keerthy <j-keerthy@ti.com>
Suggested-by: Eduardo Valentin <edubezval@gmail.com> 
Reported-by: Nishanth Menon <nm@ti.com>
---
Links to previous discussion can be found here:

http://www.spinics.net/lists/linux-omap/msg124925.html

Boot tested on DRA7.

 arch/Kconfig    |  7 +++++++
 kernel/reboot.c | 23 ++++++++++++++++++-----
 2 files changed, 25 insertions(+), 5 deletions(-)

Index: linux/arch/Kconfig
===================================================================
--- linux.orig/arch/Kconfig	2016-01-11 15:26:07.732173131 +0530
+++ linux/arch/Kconfig	2016-01-11 15:26:07.728173205 +0530
@@ -37,6 +37,18 @@
 	def_bool y
 	depends on PERF_EVENTS && HAVE_PERF_EVENTS_NMI && !PPC64
 
+config SHUTDOWN_BACKUP_DELAY_MS
+	int "Backup shutdown delay in milli-seconds"
+	default 0
+	help
+	  The number of milliseconds to delay before backup workqueue
+	  executes attempting to poweroff the system after the
+	  orderly_poweroff function has failed to complete.
+
+	  If set to 0, the backup workqueue is not active. The value
+	  should be conservatively configured based on userspace latencies
+	  expected for a given system.
+
 config KPROBES
 	bool "Kprobes"
 	depends on MODULES
Index: linux/kernel/reboot.c
===================================================================
--- linux.orig/kernel/reboot.c	2016-01-11 15:26:07.732173131 +0530
+++ linux/kernel/reboot.c	2016-01-11 15:38:33.502341511 +0530
@@ -424,6 +424,38 @@
 	return ret;
 }
 
+#ifdef CONFIG_SHUTDOWN_BACKUP_DELAY_MS
+
+/**
+ * shutdown_backup_func - shutdown backup work after a known delay
+ * @work: work_struct associated with the backup shutdown function
+ *
+ * In system bootup sequences like those in the middle of driver probes being
+ * initiated, userspace will be unable to power off the system in a clean
+ * manner and leaves the system in a critical state.
+ * In such scenarios, this backup workqueue forces a shutdown of the system
+ * when orderly shutdown is not successful after a configurable time period.
+ */
+static void shutdown_backup_func(struct work_struct *work)
+{
+	pr_warn("Orderly_poweroff has failed! Attempting kernel_power_off\n");
+	kernel_power_off();
+
+	pr_warn("kernel_power_off has failed! Attempting emergency_restart\n");
+	emergency_restart();
+}
+
+static DECLARE_DELAYED_WORK(bkup_shutdown_work, shutdown_backup_func);
+
+static inline void setup_backup_shutdown_workqueue(void)
+{
+	schedule_delayed_work(&bkup_shutdown_work,
+		      msecs_to_jiffies(CONFIG_SHUTDOWN_BACKUP_DELAY_MS));
+}
+#else
+static inline void setup_backup_shutdown_workqueue(void) { }
+#endif
+
 static int __orderly_poweroff(bool force)
 {
 	int ret;
@@ -442,6 +474,12 @@
 		kernel_power_off();
 	}
 
+	/*
+	 * Schedule a backup work function to execute after a known time
+	 * when orderly shutdown fails.
+	 */
+	setup_backup_shutdown_workqueue();
+
 	return ret;
 }
 

Re: [PATCH] reboot: Backup orderly_poweroff

[Josh Triplett]

On Mon, Jan 11, 2016 at 03:53:24PM +0530, Keerthy wrote:
> orderly_poweroff is triggered when a graceful shutdown
> of system is desired. This may be used in many critical states of the
> kernel such as when subsystems detects conditions such as critical
> temperature conditions. However, in certain conditions in system
> boot up sequences like those in the middle of driver probes being
> initiated, userspace will be unable to power off the system in a clean
> manner and leaves the system in a critical state. In cases like these,
> the /sbin/poweroff will return success (having forked off to attempt
> powering off the system. However, the system overall will fail to
> completely poweroff (since other modules will be probed) and the system
> is still functional with no userspace (since that would have shut itself
> off).
> 
> However, there is no clean way of detecting such failure of userspace
> powering off the system. In such scenarios, it is necessary for a backup
> workqueue to be able to force a shutdown of the system when orderly
> shutdown is not successful after a configurable time period.

One issue below, inline.

> Signed-off-by: Keerthy <j-keerthy@ti.com>
> Suggested-by: Eduardo Valentin <edubezval@gmail.com> 
> Reported-by: Nishanth Menon <nm@ti.com>
> ---
> Links to previous discussion can be found here:
> 
> http://www.spinics.net/lists/linux-omap/msg124925.html
> 
> Boot tested on DRA7.
> 
>  arch/Kconfig    |  7 +++++++
>  kernel/reboot.c | 23 ++++++++++++++++++-----
>  2 files changed, 25 insertions(+), 5 deletions(-)
> 
> Index: linux/arch/Kconfig
> ===================================================================
> --- linux.orig/arch/Kconfig	2016-01-11 15:26:07.732173131 +0530
> +++ linux/arch/Kconfig	2016-01-11 15:26:07.728173205 +0530
> @@ -37,6 +37,18 @@
>  	def_bool y
>  	depends on PERF_EVENTS && HAVE_PERF_EVENTS_NMI && !PPC64
>  
> +config SHUTDOWN_BACKUP_DELAY_MS
> +	int "Backup shutdown delay in milli-seconds"
> +	default 0

With no dependencies, as far as I can tell this will always get defined
with a value, defaulting to 0.  (I don't know of any special cases in
Kconfig for an int value of 0.)  Thus, in the code below...

> --- linux.orig/kernel/reboot.c	2016-01-11 15:26:07.732173131 +0530
> +++ linux/kernel/reboot.c	2016-01-11 15:38:33.502341511 +0530
> @@ -424,6 +424,38 @@
>  	return ret;
>  }
>  
> +#ifdef CONFIG_SHUTDOWN_BACKUP_DELAY_MS

...this should use #if, not #ifdef.  Otherwise this code will get
compiled into every kernel.

- Josh Triplett

Re: [PATCH] reboot: Backup orderly_poweroff

[Keerthy]

On Monday 11 January 2016 08:25 PM, Josh Triplett wrote:
> On Mon, Jan 11, 2016 at 03:53:24PM +0530, Keerthy wrote:
>> orderly_poweroff is triggered when a graceful shutdown
>> of system is desired. This may be used in many critical states of the
>> kernel such as when subsystems detects conditions such as critical
>> temperature conditions. However, in certain conditions in system
>> boot up sequences like those in the middle of driver probes being
>> initiated, userspace will be unable to power off the system in a clean
>> manner and leaves the system in a critical state. In cases like these,
>> the /sbin/poweroff will return success (having forked off to attempt
>> powering off the system. However, the system overall will fail to
>> completely poweroff (since other modules will be probed) and the system
>> is still functional with no userspace (since that would have shut itself
>> off).
>>
>> However, there is no clean way of detecting such failure of userspace
>> powering off the system. In such scenarios, it is necessary for a backup
>> workqueue to be able to force a shutdown of the system when orderly
>> shutdown is not successful after a configurable time period.
>
> One issue below, inline.
>
>> Signed-off-by: Keerthy <j-keerthy@ti.com>
>> Suggested-by: Eduardo Valentin <edubezval@gmail.com>
>> Reported-by: Nishanth Menon <nm@ti.com>
>> ---
>> Links to previous discussion can be found here:
>>
>> http://www.spinics.net/lists/linux-omap/msg124925.html
>>
>> Boot tested on DRA7.
>>
>>   arch/Kconfig    |  7 +++++++
>>   kernel/reboot.c | 23 ++++++++++++++++++-----
>>   2 files changed, 25 insertions(+), 5 deletions(-)
>>
>> Index: linux/arch/Kconfig
>> ===================================================================
>> --- linux.orig/arch/Kconfig	2016-01-11 15:26:07.732173131 +0530
>> +++ linux/arch/Kconfig	2016-01-11 15:26:07.728173205 +0530
>> @@ -37,6 +37,18 @@
>>   	def_bool y
>>   	depends on PERF_EVENTS && HAVE_PERF_EVENTS_NMI && !PPC64
>>
>> +config SHUTDOWN_BACKUP_DELAY_MS
>> +	int "Backup shutdown delay in milli-seconds"
>> +	default 0
>
> With no dependencies, as far as I can tell this will always get defined
> with a value, defaulting to 0.  (I don't know of any special cases in
> Kconfig for an int value of 0.)  Thus, in the code below...

Yes. I will fix this and post a new version. Thanks for the review.

Regards,
Keerthy
>
>> --- linux.orig/kernel/reboot.c	2016-01-11 15:26:07.732173131 +0530
>> +++ linux/kernel/reboot.c	2016-01-11 15:38:33.502341511 +0530
>> @@ -424,6 +424,38 @@
>>   	return ret;
>>   }
>>
>> +#ifdef CONFIG_SHUTDOWN_BACKUP_DELAY_MS
>
> ...this should use #if, not #ifdef.  Otherwise this code will get
> compiled into every kernel.
>
> - Josh Triplett
>