When sanitizer calls are emitted, the -mregparm=3 option used by the Linux kernel appears to be ignored. For example, here is a build where the argument are being pushed instead of placed in %eax and %edx (from lkdtm_ARRAY_BOUNDS):

 0xc18e3a5a <+202>: push %ebx  0xc18e3a5b <+203>: push $0xc26001a0  0xc18e3a60 <+208>: call 0xc157d430 <__ubsan_handle_out_of_bounds>

The kernel's handler isn't expecting them on the stack. For example, this is setting a bit in the sanitizer's passed-in data structure (from __ubsan_handle_out_of_bounds):

 0xc157d491 <+97>: btsl $0x1f,%ds:0x4(%eax)  0xc157d497 <+103>: jae 0xc157d4a1 <__ubsan_handle_out_of_bounds+113> 

KSPP/linux#350