On Fri, Mar 20, 2026 at 05:33:34AM -0700, Breno Leitao wrote: > Coredump is a generally useful and interesting event in the lifetime > of a process. Add a tracepoint so it can be monitored through the > standard kernel tracing infrastructure. > > BPF-based crash monitoring is an advanced approach that > allows real-time crash interception: by attaching a BPF program at > this point, tools can use bpf_get_stack() with BPF_F_USER_STACK to > capture the user-space stack trace at the exact moment of the crash, > before the process is fully terminated, without waiting for a > coredump file to be written and parsed. > > However, there is currently no stable kernel API for this use case. > Existing tools rely on attaching fentry probes to do_coredump(), > which is an internal function whose signature changes across kernel > versions, breaking these tools. > > Add a stable tracepoint that fires at the beginning of > do_coredump(), providing BPF programs a reliable attachment point. > At tracepoint time, the crashing process context is still live, so > BPF programs can call bpf_get_stack() with BPF_F_USER_STACK to > extract the user-space backtrace. > > The tracepoint records: > - sig: signal number that triggered the coredump > - comm: process name > - pid: process PID > > Example output: > > $ echo 1 > /sys/kernel/tracing/events/coredump/coredump/enable > $ sleep 999 & > $ kill -SEGV $! > $ cat /sys/kernel/tracing/trace > # TASK-PID CPU# ||||| TIMESTAMP FUNCTION > # | | | ||||| | | > sleep-634 [036] ..... 145.222206: coredump: sig=11 > comm=sleep pid=634 > > Suggested-by: Andrii Nakryiko <[email protected]> > Signed-off-by: Breno Leitao <[email protected]> > --- > fs/coredump.c | 5 +++++ > include/trace/events/coredump.h | 47 > +++++++++++++++++++++++++++++++++++++++++ > 2 files changed, 52 insertions(+) > > diff --git a/fs/coredump.c b/fs/coredump.c > index 29df8aa19e2e7..bb6fdb1f458e9 100644 > --- a/fs/coredump.c > +++ b/fs/coredump.c > @@ -63,6 +63,9 @@ > > #include <trace/events/sched.h> > > +#define CREATE_TRACE_POINTS > +#include <trace/events/coredump.h> > + > static bool dump_vma_snapshot(struct coredump_params *cprm); > static void free_vma_snapshot(struct coredump_params *cprm); > > @@ -1090,6 +1093,8 @@ static inline bool coredump_skip(const struct > coredump_params *cprm, > static void do_coredump(struct core_name *cn, struct coredump_params *cprm, > size_t **argv, int *argc, const struct linux_binfmt > *binfmt) > { > + trace_coredump(cprm->siginfo->si_signo); > + > if (!coredump_parse(cn, cprm, argv, argc)) { > coredump_report_failure("format_corename failed, aborting > core"); > return; > diff --git a/include/trace/events/coredump.h b/include/trace/events/coredump.h > new file mode 100644 > index 0000000000000..59617eba3dbcf > --- /dev/null > +++ b/include/trace/events/coredump.h > @@ -0,0 +1,47 @@ > +/* SPDX-License-Identifier: GPL-2.0 */ > +/* > + * Copyright (c) 2026 Meta Platforms, Inc. and affiliates. > + * Copyright (c) 2026 Breno Leitao <[email protected]> > + */ > +#undef TRACE_SYSTEM > +#define TRACE_SYSTEM coredump > + > +#if !defined(_TRACE_COREDUMP_H) || defined(TRACE_HEADER_MULTI_READ) > +#define _TRACE_COREDUMP_H > + > +#include <linux/sched.h> > +#include <linux/tracepoint.h> > + > +/** > + * coredump - called when a coredump starts > + * @sig: signal number that triggered the coredump > + * > + * This tracepoint fires at the beginning of a coredump attempt, > + * providing a stable interface for monitoring coredump events. > + */ > +TRACE_EVENT(coredump, > + > + TP_PROTO(int sig), > + > + TP_ARGS(sig), > + > + TP_STRUCT__entry( > + __field(int, sig) > + __array(char, comm, TASK_COMM_LEN) > + __field(pid_t, pid) > + ), > + > + TP_fast_assign( > + __entry->sig = sig; > + memcpy(__entry->comm, current->comm, TASK_COMM_LEN); > + __entry->pid = current->pid;
That's the TID as seen in the global pid namespace. I assume this is what you want but worth noting.
