1#!/usr/bin/env python 2# 3# kvm_hypercall.py 4# 5# Demonstrates stateful kvm_entry and kvm_exit recording along with the 6# associated hypercall when exit_reason is VMCALL. See kvm_hypercall.txt 7# for usage 8# 9# REQUIRES: Linux 4.7+ (BPF_PROG_TYPE_TRACEPOINT support) 10# 11# Copyright (c) 2017 ShiftLeft Inc. 12# 13# Author(s): 14# Suchakrapani Sharma <suchakra@shiftleft.io> 15 16 17from __future__ import print_function 18from bcc import BPF 19 20# load BPF program 21b = BPF(text=""" 22#define EXIT_REASON 18 23BPF_HASH(start, u8, u8); 24 25TRACEPOINT_PROBE(kvm, kvm_exit) { 26 u8 e = EXIT_REASON; 27 u8 one = 1; 28 if (args->exit_reason == EXIT_REASON) { 29 bpf_trace_printk("KVM_EXIT exit_reason : %d\\n", args->exit_reason); 30 start.update(&e, &one); 31 } 32 return 0; 33} 34 35TRACEPOINT_PROBE(kvm, kvm_entry) { 36 u8 e = EXIT_REASON; 37 u8 zero = 0; 38 u8 *s = start.lookup(&e); 39 if (s != NULL && *s == 1) { 40 bpf_trace_printk("KVM_ENTRY vcpu_id : %u\\n", args->vcpu_id); 41 start.update(&e, &zero); 42 } 43 return 0; 44} 45 46TRACEPOINT_PROBE(kvm, kvm_hypercall) { 47 u8 e = EXIT_REASON; 48 u8 zero = 0; 49 u8 *s = start.lookup(&e); 50 if (s != NULL && *s == 1) { 51 bpf_trace_printk("HYPERCALL nr : %d\\n", args->nr); 52 } 53 return 0; 54}; 55""") 56 57# header 58print("%-18s %-16s %-6s %s" % ("TIME(s)", "COMM", "PID", "EVENT")) 59 60# format output 61while 1: 62 try: 63 (task, pid, cpu, flags, ts, msg) = b.trace_fields() 64 except ValueError: 65 continue 66 print("%-18.9f %-16s %-6d %s" % (ts, task, pid, msg)) 67 68