diff options
| author | Breno Leitao <leitao@debian.org> | 2026-03-23 04:46:27 -0700 |
|---|---|---|
| committer | Christian Brauner <brauner@kernel.org> | 2026-03-23 13:15:52 +0100 |
| commit | f30186b0c7829841744a40f7345e6cc9865f8a67 (patch) | |
| tree | a1e716688e2dc564be8071aaa3fa64ef20e20679 /include/trace | |
| parent | e247fd37e597b3536d26cfa5fcc558832586f57c (diff) | |
coredump: add tracepoint for coredump events
Coredump is a generally useful and interesting event in the lifetime
of a process. Add a tracepoint so it can be monitored through the
standard kernel tracing infrastructure.
BPF-based crash monitoring is an advanced approach that
allows real-time crash interception: by attaching a BPF program at
this point, tools can use bpf_get_stack() with BPF_F_USER_STACK to
capture the user-space stack trace at the exact moment of the crash,
before the process is fully terminated, without waiting for a
coredump file to be written and parsed.
However, there is currently no stable kernel API for this use case.
Existing tools rely on attaching fentry probes to do_coredump(),
which is an internal function whose signature changes across kernel
versions, breaking these tools.
Add a stable tracepoint that fires at the beginning of
do_coredump(), providing BPF programs a reliable attachment point.
At tracepoint time, the crashing process context is still live, so
BPF programs can call bpf_get_stack() with BPF_F_USER_STACK to
extract the user-space backtrace.
The tracepoint records:
- sig: signal number that triggered the coredump
- comm: process name
Example output:
$ echo 1 > /sys/kernel/tracing/events/coredump/coredump/enable
$ sleep 999 &
$ kill -SEGV $!
$ cat /sys/kernel/tracing/trace
# TASK-PID CPU# ||||| TIMESTAMP FUNCTION
# | | | ||||| | |
sleep-634 [036] ..... 145.222206: coredump: sig=11 comm=sleep
Suggested-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Breno Leitao <leitao@debian.org>
Link: https://patch.msgid.link/20260323-coredump_tracepoint-v2-1-afced083b38d@debian.org
Signed-off-by: Christian Brauner <brauner@kernel.org>
Diffstat (limited to 'include/trace')
| -rw-r--r-- | include/trace/events/coredump.h | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/include/trace/events/coredump.h b/include/trace/events/coredump.h new file mode 100644 index 000000000000..c7b9c53fc498 --- /dev/null +++ b/include/trace/events/coredump.h @@ -0,0 +1,45 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Copyright (c) 2026 Meta Platforms, Inc. and affiliates. + * Copyright (c) 2026 Breno Leitao <leitao@debian.org> + */ +#undef TRACE_SYSTEM +#define TRACE_SYSTEM coredump + +#if !defined(_TRACE_COREDUMP_H) || defined(TRACE_HEADER_MULTI_READ) +#define _TRACE_COREDUMP_H + +#include <linux/sched.h> +#include <linux/tracepoint.h> + +/** + * coredump - called when a coredump starts + * @sig: signal number that triggered the coredump + * + * This tracepoint fires at the beginning of a coredump attempt, + * providing a stable interface for monitoring coredump events. + */ +TRACE_EVENT(coredump, + + TP_PROTO(int sig), + + TP_ARGS(sig), + + TP_STRUCT__entry( + __field(int, sig) + __array(char, comm, TASK_COMM_LEN) + ), + + TP_fast_assign( + __entry->sig = sig; + memcpy(__entry->comm, current->comm, TASK_COMM_LEN); + ), + + TP_printk("sig=%d comm=%s", + __entry->sig, __entry->comm) +); + +#endif /* _TRACE_COREDUMP_H */ + +/* This part must be outside protection */ +#include <trace/define_trace.h> |