change_notify_add_request() talloc moves smb_request away, which is not expected by the smb2_notify.c code... smbd_smb2_notify_reply() uses tevent_req_defer_callback() (in older versions an immediate event) to defer the response. This is needed as change_notify_reply() will do more things after calling reply_fn() (smbd_smb2_notify_reply is this case) and often change_notify_remove_request() is called after change_notify_reply(). change_notify_remove_request() implicitly free's the smb_request that was passed to change_notify_add_request(). smbd_smb2_fake_smb_request() added the smb_request as smb2req->smb1req, which is expected to be available after smbd_smb2_notify_recv() returned.
Created attachment 9680 [details] Patch for v4-1-test
Created attachment 9681 [details] Patch for v4-0-test
Comment on attachment 9681 [details] Patch for v4-0-test Karolin, please apply the patches to the relevant branches. Thanks!
Pushed to autbuild-v4-1-test and autobuild-v4-0-test after freeze date, because it sounds like an important fix.
Pushed to v4-1-test and v4-0-test. Closing out bug report. Thanks!