Coredump is a generally useful and interesting event in the lifetime of a process. Add a tracepoint so it can be monitored through the standard kernel tracing infrastructure. BPF-based crash monitoring is an advanced approach that allows real-time crash interception: by attaching a BPF program at this point, tools can use bpf_get_stack() with BPF_F_USER_STACK to capture the user-space stack trace at the exact moment of the crash, before the process is fully terminated, without waiting for a coredump file to be written and parsed. However, there is currently no stable kernel API for this use case. Existing tools rely on attaching fentry probes to do_coredump(), which is an internal function whose signature changes across kernel versions, breaking these tools. Add a stable tracepoint that fires at the beginning of do_coredump(), providing BPF programs a reliable attachment point. At tracepoint time, the crashing process context is still live, so BPF programs can call bpf_get_stack() with BPF_F_USER_STACK to extract the user-space backtrace. The tracepoint records: - sig: signal number that triggered the coredump - comm: process name Example output: $ echo 1 > /sys/kernel/tracing/events/coredump/coredump/enable $ sleep 999 & $ kill -SEGV $! $ cat /sys/kernel/tracing/trace # TASK-PID CPU# ||||| TIMESTAMP FUNCTION # | | | ||||| | | sleep-634 [036] ..... 145.222206: coredump: sig=11 comm=sleep Suggested-by: Andrii Nakryiko Signed-off-by: Breno Leitao --- Changes in v2: - Remove the pid from the tracpoint message, given pid is saved in all trace events (Christian, Steven) - Link to v1: https://patch.msgid.link/20260320-coredump_tracepoint-v1-1-34864746cbb3@debian.org --- fs/coredump.c | 5 +++++ include/trace/events/coredump.h | 45 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+) diff --git a/fs/coredump.c b/fs/coredump.c index 29df8aa19e2e7..bb6fdb1f458e9 100644 --- a/fs/coredump.c +++ b/fs/coredump.c @@ -63,6 +63,9 @@ #include +#define CREATE_TRACE_POINTS +#include + static bool dump_vma_snapshot(struct coredump_params *cprm); static void free_vma_snapshot(struct coredump_params *cprm); @@ -1090,6 +1093,8 @@ static inline bool coredump_skip(const struct coredump_params *cprm, static void do_coredump(struct core_name *cn, struct coredump_params *cprm, size_t **argv, int *argc, const struct linux_binfmt *binfmt) { + trace_coredump(cprm->siginfo->si_signo); + if (!coredump_parse(cn, cprm, argv, argc)) { coredump_report_failure("format_corename failed, aborting core"); return; diff --git a/include/trace/events/coredump.h b/include/trace/events/coredump.h new file mode 100644 index 0000000000000..c7b9c53fc4986 --- /dev/null +++ b/include/trace/events/coredump.h @@ -0,0 +1,45 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Copyright (c) 2026 Meta Platforms, Inc. and affiliates. + * Copyright (c) 2026 Breno Leitao + */ +#undef TRACE_SYSTEM +#define TRACE_SYSTEM coredump + +#if !defined(_TRACE_COREDUMP_H) || defined(TRACE_HEADER_MULTI_READ) +#define _TRACE_COREDUMP_H + +#include +#include + +/** + * coredump - called when a coredump starts + * @sig: signal number that triggered the coredump + * + * This tracepoint fires at the beginning of a coredump attempt, + * providing a stable interface for monitoring coredump events. + */ +TRACE_EVENT(coredump, + + TP_PROTO(int sig), + + TP_ARGS(sig), + + TP_STRUCT__entry( + __field(int, sig) + __array(char, comm, TASK_COMM_LEN) + ), + + TP_fast_assign( + __entry->sig = sig; + memcpy(__entry->comm, current->comm, TASK_COMM_LEN); + ), + + TP_printk("sig=%d comm=%s", + __entry->sig, __entry->comm) +); + +#endif /* _TRACE_COREDUMP_H */ + +/* This part must be outside protection */ +#include --- base-commit: b5d083a3ed1e2798396d5e491432e887da8d4a06 change-id: 20260320-coredump_tracepoint-4de4399ce1b6 Best regards, -- Breno Leitao