> Oh, I see, is that what you did in your reproducer?
Yes, that's how I reproduce it.
> I'm still puzzled by smb2_handle_negotiate+0x35d7/0x3e60 in the original
> stack trace. 0x35d7/0x3e60 certainly doesn't translate to "start of the
> function" to me, but what do I know :)
As you can see in the assembly below, the call to asan_report_*
functions is placed
at the bottom of the function, that's why the stack trace looks like that.
```
; smb2_handle_negotiate+0x216
.text:FFFFFFFF81FDA4F6 test dl, dl
.text:FFFFFFFF81FDA4F8 setnz al
.text:FFFFFFFF81FDA4FB test cl, al
; KASAN check
.text:FFFFFFFF81FDA4FD jnz loc_FFFFFFFF81FDD80E ;
jump to report
; smb2_handle_negotiate+0x352e
.text:FFFFFFFF81FDD80E loc_FFFFFFFF81FDD80E:
.text:FFFFFFFF81FDD80E mov esi, 2
.text:FFFFFFFF81FDD813 call __asan_report_load_n_noabort
.text:FFFFFFFF81FDD818 jmp loc_FFFFFFFF81FDA503
.text:FFFFFFFF81FDD81D loc_FFFFFFFF81FDD81D:
.text:FFFFFFFF81FDD81D mov esi, 4
.text:FFFFFFFF81FDD822 call __asan_report_store_n_noabort
.text:FFFFFFFF81FDD827 jmp loc_FFFFFFFF81FDAFA7
.text:FFFFFFFF81FDD82C loc_FFFFFFFF81FDD82C:
.text:FFFFFFFF81FDD82C mov rdi, rcx
.text:FFFFFFFF81FDD82F call __asan_report_load2_noabort
.text:FFFFFFFF81FDD834 jmp loc_FFFFFFFF81FDA558
```
