When a search is in-flight and currently being processed against the Elasticsearch server, we set s->pending. In the destructor of "s" we check "pending" and reject deallocation of the object. One instance where "s" is requested to be deallocated is when the client closes the top-level per-share search connection. This will implicitly close all searches associated with the mds_ctx from mds_ctx_destructor_cb(): while (mds_ctx->query_list != NULL) { /* * slq destructor removes element from list. * Don't use TALLOC_FREE()! */ talloc_free(mds_ctx->query_list); } So when this happens the Elasticsearch backend query object stays around, alongside with any active tevent_req request and a tevent_req timer set with tevent_req_set_endtime() in mds_es_search_send(). Later when the timer expires it tries to remove the search from the list of searches from the connection context, but as that is already gone we crash accessing invalid memory one way or another. Have patch need bugnumber...