I think that this is a good idea. Although, I would not necessarily tie the
software watchdog to not having any hardware watchdog. This is probably a good
default policy, but I would allow to enable / disable the software watchdog
explicitly (e.g. via a sysctl).

I also think that we should support enabling several watchdog timers with
different timeouts. Each of them can serve a different purpose. E.g., a
software or hardware NMI-sending watchdog can be used to get diagnostic data out
of a hung system while a resetting watchdog can be used to ensure fail-safe
operation.
Makes sense.
I guess that the second software watchdog was added to achieve what I suggested
above. Of course, it would have been nicer to re-use SW_WATCHDOG for that
purpose and to add a more generic support for configuring multiple watchdog
timers with different timeouts. But I guess that adding a new single-purpose
software watchdog was much easier to do.

P.S.
And maybe just using the second software watchdog would be good enough for what
you are doing?

This is not a good reason to include this code in GENERIC. Should I
add all the things I find handy at $WORK too?

Further I think this is going in the opposite direction of
what we should be doing, less and less included in GENERIC, more and
more done as loadable options. I think Warner (imp@) is going
down this path with his devmatch code.

Now if you can recode this functionality so that it is a
boot time loadable module I am sure many would be very happy
to have that! It would satisfy your need of not having to
recompile a kernel, and others need of not needing this code
at all.

I think we have lost some light as to what the GENERIC kernel
is really for, to get you up and running good enough that you
can infact build a custom kernel. I do not think it was ever
intended that people run this long term, though over the years
that has become the defacto standard. IMHO, a bad one at that.
I have no idea why we have 2, but can hypothosize that 2 different
people did the work, and both got included. As far as only
action on a timeuot being panic/reboot, not sure I agree with
that as we should provide a method (timeout has occured, what
would you like to do) not a policy (reboot/panic).

I understand what you are saying, but let me add some context. The
watchdog driver and framework are part of the base system, and
SW_WATCHDOG is about a dozen lines of code embedded in hardclock.
So about 90% of the facility is already in the base system, and I
propose to make it 100%.
I agree with using loadable modules more if they can be selected
automatically, e.g. Warner's work. Keeping dozens of drivers out of
the base, and not having to edit loader.conf to include all the
desired facilities, is a big improvement.
As noted, this is tiny, and the hooks to hardclock to connect to
the module would be about the same size as the current code. The
advantage of the SW_WATCHDOG facility is that it is deeply embedded,
requiring only that hardclock be running.
I'm not sure I agree with this goal, although I used to run custom
kernels quite often to save space. That is less of a goal on x86
than in the past, and device drivers are the real bloat. I don't
think that a large fraction of FreeBSD users build custom kernels,
although I don't have actual data. But even in 4.xBSD days, many
systems ran the generic kernel.

Mike

My proposed change is in Phabricator, https://reviews.freebsd.org/D13713.

A couple of notes:

- I retained the SW_WATCHDOG option; it now just enables the software
watchdog even if a hardware watchdog is attached, as it would have done
in the past. I updated NOTES and the watchdog(4) information accordingly.
I did not provide for any other combination of watchdogs or actions; that
would require a complete rework of the kernel API. Note that the hardware
watchdogs provide no choice of action; they simply reset the box.

- I have tested this with and without the SW_WATCHDOG option, but do not
have a hardware watchdog to test with. If someone could test this, it would
be much apprectiated. I tested by enabling watchdogd with default parameters,
doing b"killall -STOP watchdogd", and then observing that the system dropped
into the debugger after about 128 sec. It drops into the debugger if KDB
is defined and KDB_UNATTENDED is not; otherise it panics (as before).
I think the hardclock-based SW_WATCHDOG is better than the --softtimeout
wactchdog because it runs at a lower level (hardclock vs callout/softclock).
In particular, I have found it to work in situations where a locking
deadly embrace started in the network stack, and then a callout routine
got stuck as well when a function it called blocked on the offending lock.
That caused watchdogd to fail to be rescheduled, and the watchdog fired as
a result. The callout-based facility could have been blocked out as well.

Mike

The SW_WATCHDOG option has changed in function, it use to control
if this code was compiled in at all, it now does something different.
This code is compile in now no matter what with no option to remove
it, which means there is one more rarely used option in the GENERIC
kernel that can not be removed. 1 byte or 100 does not matter, it
is that policy has been shoved down the users throat. "You shall have
a software watchdog timer in your kernel weither you want it there
or not, and it is turned off by default."

We have way to many of those types of things already,
adding to this list is going in the wrong direction.
This change as it stands requires a RELNOTES flag.