Bug 14915 - mdssvc crashes when searches are pending and the client closes the mdssvc IPC pipe
Summary: mdssvc crashes when searches are pending and the client closes the mdssvc IPC...
Status: ASSIGNED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DCE-RPCs and pipes (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Ralph Böhme
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-11-19 16:00 UTC by Ralph Böhme
Modified: 2021-11-19 16:02 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ralph Böhme 2021-11-19 16:00:02 UTC 
When a search is in-flight and currently being processed against the Elasticsearch server, we set s->pending. In the destructor of "s" we check "pending" and reject deallocation of the object.
    
One instance where "s" is requested to be deallocated is when the client closes the top-level per-share search connection. This will implicitly close all searches associated with the mds_ctx from mds_ctx_destructor_cb():
    
            while (mds_ctx->query_list != NULL) {
                    /*
                     * slq destructor removes element from list.
                     * Don't use TALLOC_FREE()!
                     */
                    talloc_free(mds_ctx->query_list);
            }

So when this happens the Elasticsearch backend query object stays around, alongside with any active tevent_req request and a tevent_req timer set with tevent_req_set_endtime() in mds_es_search_send().

Later when the timer expires it tries to remove the search from the list of searches from the connection context, but as that is already gone we crash accessing invalid memory one way or another.

Have patch need bugnumber...