On Fri, Dec 08, 2023 at 11:40:27AM -0800, Alexei Starovoitov wrote: > What is "sealing" by objtool? Ah, LTO like pass that tries to determine if a function ever gets it's address taken. The basic problem is that the compiler (barring its own LTO pass) must emit CFI for every non-local symbol in a translation unit. This means that a ton of functions will have CFI on, even if they're never indirectly called. So objtool collects all functions that have CFI but do not get their address taken, and sticks their address in a .discard section, then at boot time we iterate this section and scribble the CFI state for all these functions, making them invalid to be called indirectly. For one this avoids malicious code from finding a function address in the symbol table and indirectly calling it anyway as a means to circumvent the EXPORT symbols. So objtool does not think bpf_cgroup_release() gets its address taken, specifically it does not find it's address in a section it knows about. And hence it goes on the list and we scribble it and the indirect call goes *boom*.