linux.git/include/trace/events/coredump.h, branch master Linux kernel source tree coredump: add tracepoint for coredump events 2026-03-23T12:15:52+00:00 Breno Leitao leitao@debian.org 2026-03-23T11:46:27+00:00 f30186b0c7829841744a40f7345e6cc9865f8a67 Coredump is a generally useful and interesting event in the lifetime of a process. Add a tracepoint so it can be monitored through the standard kernel tracing infrastructure. BPF-based crash monitoring is an advanced approach that allows real-time crash interception: by attaching a BPF program at this point, tools can use bpf_get_stack() with BPF_F_USER_STACK to capture the user-space stack trace at the exact moment of the crash, before the process is fully terminated, without waiting for a coredump file to be written and parsed. However, there is currently no stable kernel API for this use case. Existing tools rely on attaching fentry probes to do_coredump(), which is an internal function whose signature changes across kernel versions, breaking these tools. Add a stable tracepoint that fires at the beginning of do_coredump(), providing BPF programs a reliable attachment point. At tracepoint time, the crashing process context is still live, so BPF programs can call bpf_get_stack() with BPF_F_USER_STACK to extract the user-space backtrace. The tracepoint records: - sig: signal number that triggered the coredump - comm: process name Example output: $ echo 1 > /sys/kernel/tracing/events/coredump/coredump/enable $ sleep 999 & $ kill -SEGV $! $ cat /sys/kernel/tracing/trace # TASK-PID CPU# ||||| TIMESTAMP FUNCTION # | | | ||||| | | sleep-634 [036] ..... 145.222206: coredump: sig=11 comm=sleep Suggested-by: Andrii Nakryiko <andrii@kernel.org> Signed-off-by: Breno Leitao <leitao@debian.org> Link: https://patch.msgid.link/20260323-coredump_tracepoint-v2-1-afced083b38d@debian.org Signed-off-by: Christian Brauner <brauner@kernel.org> 
Coredump is a generally useful and interesting event in the lifetime
of a process. Add a tracepoint so it can be monitored through the
standard kernel tracing infrastructure.

BPF-based crash monitoring is an advanced approach that
allows real-time crash interception: by attaching a BPF program at
this point, tools can use bpf_get_stack() with BPF_F_USER_STACK to
capture the user-space stack trace at the exact moment of the crash,
before the process is fully terminated, without waiting for a
coredump file to be written and parsed.

However, there is currently no stable kernel API for this use case.
Existing tools rely on attaching fentry probes to do_coredump(),
which is an internal function whose signature changes across kernel
versions, breaking these tools.

Add a stable tracepoint that fires at the beginning of
do_coredump(), providing BPF programs a reliable attachment point.
At tracepoint time, the crashing process context is still live, so
BPF programs can call bpf_get_stack() with BPF_F_USER_STACK to
extract the user-space backtrace.

The tracepoint records:
  - sig: signal number that triggered the coredump
  - comm: process name

Example output:

  $ echo 1 > /sys/kernel/tracing/events/coredump/coredump/enable
  $ sleep 999 &
  $ kill -SEGV $!
  $ cat /sys/kernel/tracing/trace
  #           TASK-PID     CPU#  |||||  TIMESTAMP  FUNCTION
  #              | |         |   |||||     |         |
             sleep-634     [036] .....   145.222206: coredump: sig=11 comm=sleep

Suggested-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Breno Leitao <leitao@debian.org>
Link: https://patch.msgid.link/20260323-coredump_tracepoint-v2-1-afced083b38d@debian.org
Signed-off-by: Christian Brauner <brauner@kernel.org>