tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

coredump: add tracepoint for coredump events

Coredump is a generally useful and interesting event in the lifetime
of a process. Add a tracepoint so it can be monitored through the
standard kernel tracing infrastructure.

BPF-based crash monitoring is an advanced approach that
allows real-time crash interception: by attaching a BPF program at
this point, tools can use bpf_get_stack() with BPF_F_USER_STACK to
capture the user-space stack trace at the exact moment of the crash,
before the process is fully terminated, without waiting for a
coredump file to be written and parsed.

However, there is currently no stable kernel API for this use case.
Existing tools rely on attaching fentry probes to do_coredump(),
which is an internal function whose signature changes across kernel
versions, breaking these tools.

Add a stable tracepoint that fires at the beginning of
do_coredump(), providing BPF programs a reliable attachment point.
At tracepoint time, the crashing process context is still live, so
BPF programs can call bpf_get_stack() with BPF_F_USER_STACK to
extract the user-space backtrace.

The tracepoint records:
- sig: signal number that triggered the coredump
- comm: process name

Example output:

$ echo 1 > /sys/kernel/tracing/events/coredump/coredump/enable
$ sleep 999 &
$ kill -SEGV $!
$ cat /sys/kernel/tracing/trace
# TASK-PID CPU# ||||| TIMESTAMP FUNCTION
# | | | ||||| | |
sleep-634 [036] ..... 145.222206: coredump: sig=11 comm=sleep

Suggested-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Breno Leitao <leitao@debian.org>
Link: https://patch.msgid.link/20260323-coredump_tracepoint-v2-1-afced083b38d@debian.org
Signed-off-by: Christian Brauner <brauner@kernel.org>

authored by

Breno Leitao and committed by
Christian Brauner f30186b0 e247fd37

+50
+5
fs/coredump.c
··· 63 63 64 64 #include <trace/events/sched.h> 65 65 66 + #define CREATE_TRACE_POINTS 67 + #include <trace/events/coredump.h> 68 + 66 69 static bool dump_vma_snapshot(struct coredump_params *cprm); 67 70 static void free_vma_snapshot(struct coredump_params *cprm); 68 71 ··· 1093 1090 static void do_coredump(struct core_name *cn, struct coredump_params *cprm, 1094 1091 size_t **argv, int *argc, const struct linux_binfmt *binfmt) 1095 1092 { 1093 + trace_coredump(cprm->siginfo->si_signo); 1094 + 1096 1095 if (!coredump_parse(cn, cprm, argv, argc)) { 1097 1096 coredump_report_failure("format_corename failed, aborting core"); 1098 1097 return;
+45
include/trace/events/coredump.h
··· 1 + /* SPDX-License-Identifier: GPL-2.0 */ 2 + /* 3 + * Copyright (c) 2026 Meta Platforms, Inc. and affiliates. 4 + * Copyright (c) 2026 Breno Leitao <leitao@debian.org> 5 + */ 6 + #undef TRACE_SYSTEM 7 + #define TRACE_SYSTEM coredump 8 + 9 + #if !defined(_TRACE_COREDUMP_H) || defined(TRACE_HEADER_MULTI_READ) 10 + #define _TRACE_COREDUMP_H 11 + 12 + #include <linux/sched.h> 13 + #include <linux/tracepoint.h> 14 + 15 + /** 16 + * coredump - called when a coredump starts 17 + * @sig: signal number that triggered the coredump 18 + * 19 + * This tracepoint fires at the beginning of a coredump attempt, 20 + * providing a stable interface for monitoring coredump events. 21 + */ 22 + TRACE_EVENT(coredump, 23 + 24 + TP_PROTO(int sig), 25 + 26 + TP_ARGS(sig), 27 + 28 + TP_STRUCT__entry( 29 + __field(int, sig) 30 + __array(char, comm, TASK_COMM_LEN) 31 + ), 32 + 33 + TP_fast_assign( 34 + __entry->sig = sig; 35 + memcpy(__entry->comm, current->comm, TASK_COMM_LEN); 36 + ), 37 + 38 + TP_printk("sig=%d comm=%s", 39 + __entry->sig, __entry->comm) 40 + ); 41 + 42 + #endif /* _TRACE_COREDUMP_H */ 43 + 44 + /* This part must be outside protection */ 45 + #include <trace/define_trace.h>