As the caller ("smbd_smb2_request_process_create()") already sets the callback, the first time, it's not safe to reuse the tevent_req structure. The typicall 'tevent_req_nterror(); return tevent_req_post()' will crash as the tevent_req_nterror() already triggered the former callback, which calls smbd_smb2_create_recv(), were tevent_req_received() invalidates the tevent_req structure, so that tevent_req_post() will crash. There's actually no need to (re-)use the old structure at all.
Created attachment 13266 [details] Possible patch for master (needs regression tests)
Created attachment 13267 [details] Additional patch Review via bugzilla... Additional one for metze :-)
Just FYI: Those two patches just survived a private autobuild.
(In reply to Volker Lendecke from comment #3) Thanks! I think we should squash the two commits and adjust the commit message...
Created attachment 13333 [details] Patch for v4-6-test
Created attachment 13334 [details] Patch for v4-5-test
Reassigning to Karolin for inclusion in 4.5 and 4.6.
(In reply to Ralph Böhme from comment #7) Pushed to autobuild-v4-{6,5}-test.
(In reply to Karolin Seeger from comment #8) Pushed to both branches. Closing out bug report. Thanks!