eBPF programs often behave differently than developers expect, not because of incorrect logic, but because of subtle behaviours of the hookpoints themselves. In this talk, we focus on a small set of high-impact, commonly misunderstood attachment types — kprobes/fentry, tracepoints, uprobes, and TC/XDP and expose the internal kernel mechanics that cause surprising edge cases.
Rather than attempting to cover all eBPF hooks, this session distills a practical set of real-world gotchas that routinely affect production tools, explaining why they occur and how to work around them.