[libvirt] virStream double unref in virChrdevOpen()

Hello, There is double unref virChrdevOpen() (src/conf/virchrdev.c) when error occured. if (virStreamRef(st) < 0) { virMutexUnlock(&devs->lock); return -1; } ... if (virHashAddEntry(devs->hash, path, st) < 0) goto error; ... if (virFDStreamOpenFile(st, path, 0, 0, O_RDWR) < 0) /* error occured here */ goto error; ... error: virStreamFree(st); virHashRemoveEntry(devs->hash, path); stream is virStreamRef'ed 1 time but if it is successfully placed into hash then it will be unreferenced 2 times - in virStreamFree() and virHashRemoveEntry()'s dataFree callback. That leads to dispose stream object and segmentation fault due to use after free. Steps to reproduce: # hide the /dev/pts to throw an error in virFDStreamOpenFile() $ mount -t tmpfs empty-devpts /dev/pts $ virsh console a111 Connected to domain a111 Escape character is ^] error: End of file while reading data: Input/output error error: One or more references were leaked after disconnect from the hypervisor error: Failed to reconnect to the hypervisor (libvirtd segfaults) $ umount empty-devpts wbr, Sergey.