1#!/usr/bin/env python
2#
3# kvm_hypercall.py
4#
5# Demonstrates stateful kvm_entry and kvm_exit recording along with the
6# associated hypercall when exit_reason is VMCALL. See kvm_hypercall.txt
7# for usage
8#
9# REQUIRES: Linux 4.7+ (BPF_PROG_TYPE_TRACEPOINT support)
10#
11# Copyright (c) 2017 ShiftLeft Inc.
12#
13# Author(s):
14#   Suchakrapani Sharma <suchakra@shiftleft.io>
15
16
17from __future__ import print_function
18from bcc import BPF
19
20# load BPF program
21b = BPF(text="""
22#define EXIT_REASON 18
23BPF_HASH(start, u8, u8);
24
25TRACEPOINT_PROBE(kvm, kvm_exit) {
26    u8 e = EXIT_REASON;
27    u8 one = 1;
28    if (args->exit_reason == EXIT_REASON) {
29        bpf_trace_printk("KVM_EXIT exit_reason : %d\\n", args->exit_reason);
30        start.update(&e, &one);
31    }
32    return 0;
33}
34
35TRACEPOINT_PROBE(kvm, kvm_entry) {
36    u8 e = EXIT_REASON;
37    u8 zero = 0;
38    u8 *s = start.lookup(&e);
39    if (s != NULL && *s == 1) {
40        bpf_trace_printk("KVM_ENTRY vcpu_id : %u\\n", args->vcpu_id);
41        start.update(&e, &zero);
42    }
43    return 0;
44}
45
46TRACEPOINT_PROBE(kvm, kvm_hypercall) {
47    u8 e = EXIT_REASON;
48    u8 zero = 0;
49    u8 *s = start.lookup(&e);
50    if (s != NULL && *s == 1) {
51        bpf_trace_printk("HYPERCALL nr : %d\\n", args->nr);
52    }
53    return 0;
54};
55""")
56
57# header
58print("%-18s %-16s %-6s %s" % ("TIME(s)", "COMM", "PID", "EVENT"))
59
60# format output
61while 1:
62    try:
63        (task, pid, cpu, flags, ts, msg) = b.trace_fields()
64    except ValueError:
65        continue
66    print("%-18.9f %-16s %-6d %s" % (ts, task, pid, msg))
67
68