coredump: add tracepoint for coredump events

leitao · brauner · commit f30186b0c782 · 2026-03-23T13:15:52.000+01:00
Coredump is a generally useful and interesting event in the lifetime of a process. Add a tracepoint so it can be monitored through the standard kernel tracing infrastructure. BPF-based crash monitoring is an advanced approach that allows real-time crash interception: by attaching a BPF program at this point, tools can use bpf_get_stack() with BPF_F_USER_STACK to capture the user-space stack trace at the exact moment of the crash, before the process is fully terminated, without waiting for a coredump file to be written and parsed. However, there is currently no stable kernel API for this use case. Existing tools rely on attaching fentry probes to do_coredump(), which is an internal function whose signature changes across kernel versions, breaking these tools. Add a stable tracepoint that fires at the beginning of do_coredump(), providing BPF programs a reliable attachment point. At tracepoint time, the crashing process context is still live, so BPF programs can call bpf_get_stack() with BPF_F_USER_STACK to extract the user-space backtrace. The tracepoint records: - sig: signal number that triggered the coredump - comm: process name Example output: $ echo 1 > /sys/kernel/tracing/events/coredump/coredump/enable $ sleep 999 & $ kill -SEGV $! $ cat /sys/kernel/tracing/trace # TASK-PID CPU# ||||| TIMESTAMP FUNCTION # | | | ||||| | | sleep-634 [036] ..... 145.222206: coredump: sig=11 comm=sleep Suggested-by: Andrii Nakryiko <andrii@kernel.org> Signed-off-by: Breno Leitao <leitao@debian.org> Link: https://patch.msgid.link/20260323-coredump_tracepoint-v2-1-afced083b38d@debian.org Signed-off-by: Christian Brauner <brauner@kernel.org>
diff --git a/fs/coredump.c b/fs/coredump.c
@@ -63,6 +63,9 @@
 
 #include <trace/events/sched.h>
 
+#define CREATE_TRACE_POINTS
+#include <trace/events/coredump.h>
+
 static bool dump_vma_snapshot(struct coredump_params *cprm);
 static void free_vma_snapshot(struct coredump_params *cprm);
 
@@ -1090,6 +1093,8 @@ static inline bool coredump_skip(const struct coredump_params *cprm,
 static void do_coredump(struct core_name *cn, struct coredump_params *cprm,
 			size_t **argv, int *argc, const struct linux_binfmt *binfmt)
 {
+	trace_coredump(cprm->siginfo->si_signo);
+
 	if (!coredump_parse(cn, cprm, argv, argc)) {
 		coredump_report_failure("format_corename failed, aborting core");
 		return;
diff --git a/include/trace/events/coredump.h b/include/trace/events/coredump.h
@@ -0,0 +1,45 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright (c) 2026 Meta Platforms, Inc. and affiliates.
+ * Copyright (c) 2026 Breno Leitao <leitao@debian.org>
+ */
+#undef TRACE_SYSTEM
+#define TRACE_SYSTEM coredump
+
+#if !defined(_TRACE_COREDUMP_H) || defined(TRACE_HEADER_MULTI_READ)
+#define _TRACE_COREDUMP_H
+
+#include <linux/sched.h>
+#include <linux/tracepoint.h>
+
+/**
+ * coredump - called when a coredump starts
+ * @sig: signal number that triggered the coredump
+ *
+ * This tracepoint fires at the beginning of a coredump attempt,
+ * providing a stable interface for monitoring coredump events.
+ */
+TRACE_EVENT(coredump,
+
+	TP_PROTO(int sig),
+
+	TP_ARGS(sig),
+
+	TP_STRUCT__entry(
+		__field(int, sig)
+		__array(char, comm, TASK_COMM_LEN)
+	),
+
+	TP_fast_assign(
+		__entry->sig = sig;
+		memcpy(__entry->comm, current->comm, TASK_COMM_LEN);
+	),
+
+	TP_printk("sig=%d comm=%s",
+		  __entry->sig, __entry->comm)
+);
+
+#endif /* _TRACE_COREDUMP_H */
+
+/* This part must be outside protection */
+#include <trace/define_trace.h>
