Created attachment 9138 [details]
the library code that i call in my test driver as described in bug

Env:  centos 64 bit OS
Samba version:  3.6.9
talloc version:  2.0.7

Core dump pasted at bottom of this bug.

As a test i wrote a  C library that makes calls to smbc_ family of functions
in this library  i have 2 functions called

 ctx_create_new_smbc_context and  ctx_cleanup_context

(src code attached)

In ctx_create_new_smbc_context

in brief i call

smbc_new_context();
smbc_init_context();  in addition to other stuff as in attached src

in crx_cleanup_context()
i call
smbc_free_context(smb_ctxt, 1);


I have a test driver which at the moment does  do much except
call ctx_create_new_smbc_context and ctx_cleanup_context
in a loop 1000 times

Now with a single thread it is all good but with multiple (2 threads)
it core dumps right away.

I know parts of samba code is not multi-thread safe but according to samba docs
if each thread creates its own smbc_context it should be safe but does not seem
to be.



Here is my thread function

It works for a single thread not more than 1

If i guard it with a mutex (mutex_sync in below snippet)
all is fine but did not want to serialize 
smbc_ calls for better performance if possible.


static void * thread_ctx(void *arg)
{
    thread_info *tinfo = arg;
    char *uargv, *p;
    int i = 0;
    SMBCCTX* smb_ctxt = NULL;
    const char *username = "Administrator";
    const char*domain_name = "NTAPQA2";
    const char *password = "Pur@to789";
    const char* srvr = "172.16.3.38";
    const char *share = "subset";
    struct user_auth_info *p_user_auth_info = NULL;


   printf("Thread %d: top of stack near %p;\n",tinfo->thread_num, &p);

  while(i++< 1000)
  {

    //pthread_mutex_lock(&mutex_sync);  
    TALLOC_CTX *talloc_ctx = talloc_stackframe();
    int err = ctx_create_new_smbc_context(talloc_ctx,&p_user_auth_info,&smb_ctxt,username,domain_name,password,srvr,share);
    smbc_set_context(smb_ctxt);
    printf("%s: Thread [%lu]: ctx_create_new_smbc_context res=%d ctx=%p  count=%d\n",__func__,pthread_self(),err,smb_ctxt,i);
    sleep(1);
    ctx_cleanup_context(talloc_ctx,p_user_auth_info,smb_ctxt);
    printf("%s: Thread [%lu]: ctx_cleanup_context\n",__func__,pthread_self());
    smb_ctxt = NULL;

    TALLOC_FREE(talloc_ctx);
    //pthread_mutex_unlock(&mutex_sync);
  }



 return NULL;

}


Core dump begin




Thread 3 (Thread 0x7f6711613700 (LWP 24975)):
#0  0x00007f67156ec086 in memset () from /lib64/ld-linux-x86-64.so.2
#1  0x00007f67156db5fd in _dl_map_object_from_fd () from /lib64/ld-linux-x86-64.so.2
#2  0x00007f67156dc35a in _dl_map_object () from /lib64/ld-linux-x86-64.so.2
#3  0x00007f67156e69b4 in dl_open_worker () from /lib64/ld-linux-x86-64.so.2
#4  0x00007f67156e2196 in _dl_catch_error () from /lib64/ld-linux-x86-64.so.2
#5  0x00007f67156e646a in _dl_open () from /lib64/ld-linux-x86-64.so.2
#6  0x00007f671362c300 in do_dlopen () from /lib64/libc.so.6
#7  0x00007f67156e2196 in _dl_catch_error () from /lib64/ld-linux-x86-64.so.2
#8  0x00007f671362c457 in __libc_dlopen_mode () from /lib64/libc.so.6
#9  0x00007f6713604855 in init () from /lib64/libc.so.6
#10 0x00007f67138a5b23 in pthread_once () from /lib64/libpthread.so.0
#11 0x00007f6713604954 in backtrace () from /lib64/libc.so.6
#12 0x00007f67135767cb in __libc_message () from /lib64/libc.so.6
#13 0x00007f671357c0e6 in malloc_printerr () from /lib64/libc.so.6
#14 0x00007f6713581ae7 in _int_realloc () from /lib64/libc.so.6
#15 0x00007f6713581ca5 in realloc () from /lib64/libc.so.6
#16 0x00000000007d942d in _talloc_realloc ()
#17 0x00000000007d959f in _talloc_realloc_array ()
#18 0x0000000000418006 in talloc_stackframe_internal ()
#19 0x00000000004180ac in talloc_stackframe ()
#20 0x00000000007a521f in SMBC_module_init ()
#21 0x00000000007a54eb in smbc_new_context ()
#22 0x0000000000417be7 in ctx_create_new_smbc_context ()
#23 0x0000000000411072 in thread_ctx (arg=0x139a260) at ./egn_sc_perms/driver/egn_sc_ctx_tester.c:459
#24 0x00007f67138a0851 in start_thread () from /lib64/libpthread.so.0
#25 0x00007f67135ee90d in clone () from /lib64/libc.so.6

Thread 2 (Thread 0x7f67158e07c0 (LWP 24974)):
#0  0x00007f67135b2b8d in nanosleep () from /lib64/libc.so.6
#1  0x00007f67135b2a00 in sleep () from /lib64/libc.so.6
#2  0x000000000041048b in main (argc=1, argv=0x7ffff681e738) at ./egn_sc_perms/driver/egn_sc_ctx_tester.c:102

Thread 1 (Thread 0x7f6710c12700 (LWP 24976)):
#0  0x00007f67135388a5 in raise () from /lib64/libc.so.6
#1  0x00007f671353a085 in abort () from /lib64/libc.so.6
#2  0x00000000007d562f in talloc_abort ()
#3  0x00000000007d5646 in talloc_abort_access_after_free ()
#4  0x00000000007d90ce in _talloc_realloc ()
#5  0x00000000007d959f in _talloc_realloc_array ()
#6  0x0000000000418006 in talloc_stackframe_internal ()
---Type <return> to continue, or q <return> to quit---
#7  0x00000000004180ac in talloc_stackframe ()
#8  0x00000000007a521f in SMBC_module_init ()
#9  0x00000000007a54eb in smbc_new_context ()
#10 0x0000000000417be7 in ctx_create_new_smbc_context ()
#11 0x0000000000411072 in thread_ctx (arg=0x139a278) at ./egn_sc_perms/driver/egn_sc_ctx_tester.c:459
#12 0x00007f67138a0851 in start_thread () from /lib64/libpthread.so.0
#13 0x00007f67135ee90d in clone () from /lib64/libc.so.6
(gdb)