The reason is that baum did not set null for brlapi in baum_chr_open, which made brlapi be released twice. Patch has been tested and uploaded to upstream. https://lists.gnu.org/archive/html/qemu-devel/2017-09/msg06601.html