Description of problem:
Boot a windows 8 guest with mq=on, then shutdown it, and boot it again without mq, during start up, windows hangs, qemu coredumpd.

Version-Release number of selected component (if applicable):
# uname -r
3.10.0-33.el7.x86_64
# rpm -q qemu-kvm
qemu-kvm-1.5.3-8.el7.x86_64

virtio-win-prewhql-0.1-72 installed inside guest.

How reproducible:
100%

Steps to Reproduce:
1.Boot windows 8 guest with mq=on:
# /usr/libexec/qemu-kvm -M pc -cpu SandyBridge  -enable-kvm -m 4096 -smp 4,sockets=1,cores=4,threads=1 -usb -device usb-tablet,id=input0 -name rhel7 -rtc base=localtime,clock=host,driftfix=slew  -device virtio-balloon-pci,id=balloon1 -global PIIX4_PM.disable_s3=0 -global PIIX4_PM.disable_s4=0 -monitor stdio -serial unix:/tmp/ttyS0,server,nowait  -spice disable-ticketing,port=5931,seamless-migration=on -vga qxl -global qxl-vga.vram_size=67108864 -netdev tap,id=netdev0,vhost=on,script=/etc/qemu-ifup,queues=4 -device virtio-net-pci,mq=on,vectors=9,mac=00:1b:21:7a:76:10,netdev=netdev0,id=nic0  -drive file=/home/win8-64-virtio.qcow2,if=none,format=qcow2,rerror=stop,werror=stop,id=virtio-disk0 -device virtio-blk-pci,drive=virtio-disk0

2. After guest bootup completedly, then shutdown it.
3. Boot again without mq
# /usr/libexec/qemu-kvm -M pc -cpu SandyBridge  -enable-kvm -m 4096 -smp 4,sockets=1,cores=4,threads=1 -usb -device usb-tablet,id=input0 -name rhel7 -rtc base=localtime,clock=host,driftfix=slew  -device virtio-balloon-pci,id=balloon1 -global PIIX4_PM.disable_s3=0 -global PIIX4_PM.disable_s4=0 -monitor stdio -serial unix:/tmp/ttyS0,server,nowait  -spice disable-ticketing,port=5931,seamless-migration=on -vga qxl -global qxl-vga.vram_size=67108864 -netdev tap,id=netdev0,vhost=on,script=/etc/qemu-ifup  -device virtio-net-pci,mac=00:1b:21:7a:76:10,netdev=netdev0,id=nic0  -drive file=/home/win8-64-virtio.qcow2,if=none,format=qcow2,rerror=stop,werror=stop,id=virtio-disk0 -device virtio-blk-pci,drive=virtio-disk0

Actual results:
qemu coredumpd during booting, bt f
(gdb) bt
#0  0x00007ffff32df999 in raise () from /lib64/libc.so.6
#1  0x00007ffff32e10a8 in abort () from /lib64/libc.so.6
#2  0x00005555557832e6 in kvm_io_ioeventfd_add (listener=<optimized out>, section=0x7fffea8199a0, 
    match_data=<optimized out>, data=0, e=<optimized out>) at /usr/src/debug/qemu-1.5.3/kvm-all.c:846
#3  0x0000555555788ae7 in address_space_add_del_ioeventfds (fds_old_nb=1, fds_old=0x7fffdc000920, fds_new_nb=1, 
    fds_new=0x7fffdc000960, as=0x55555644e200 <address_space_io>) at /usr/src/debug/qemu-1.5.3/memory.c:616
#4  address_space_update_ioeventfds (as=0x55555644e200 <address_space_io>) at /usr/src/debug/qemu-1.5.3/memory.c:649
#5  address_space_update_topology (as=0x55555644e200 <address_space_io>) at /usr/src/debug/qemu-1.5.3/memory.c:730
#6  memory_region_transaction_commit () at /usr/src/debug/qemu-1.5.3/memory.c:750
#7  0x000055555567e45d in pci_update_mappings (d=0x5555567257f0) at hw/pci/pci.c:1112
#8  0x000055555567e8d8 in pci_default_write_config (d=d@entry=0x5555567257f0, addr=addr@entry=4, val=0, l=l@entry=2)
    at hw/pci/pci.c:1163
#9  0x00005555556b6ada in virtio_write_config (pci_dev=0x5555567257f0, address=4, val=<optimized out>, len=2)
    at hw/virtio/virtio-pci.c:464
#10 0x0000555555785fb2 in access_with_adjusted_size (addr=addr@entry=0, value=value@entry=0x7fffea819b58, size=2, 
    access_size_min=<optimized out>, access_size_max=<optimized out>, 
    access=access@entry=0x555555786570 <memory_region_write_accessor>, opaque=opaque@entry=0x55555668a098)
    at /usr/src/debug/qemu-1.5.3/memory.c:364
#11 0x0000555555787487 in memory_region_iorange_write (iorange=<optimized out>, offset=0, width=2, data=1287)
    at /usr/src/debug/qemu-1.5.3/memory.c:439
#12 0x0000555555784d65 in kvm_handle_io (count=1, size=2, direction=1, data=<optimized out>, port=3324)
    at /usr/src/debug/qemu-1.5.3/kvm-all.c:1489
#13 kvm_cpu_exec (env=env@entry=0x55555665ffb0) at /usr/src/debug/qemu-1.5.3/kvm-all.c:1638
#14 0x0000555555730245 in qemu_kvm_cpu_thread_fn (arg=0x55555665ffb0) at /usr/src/debug/qemu-1.5.3/cpus.c:793
#15 0x00007ffff625ade3 in start_thread () from /lib64/libpthread.so.0
#16 0x00007ffff33a01ad in clone () from /lib64/libc.so.6


(gdb) bt ful
#0  0x00007ffff32df999 in raise () from /lib64/libc.so.6
No symbol table info available.
#1  0x00007ffff32e10a8 in abort () from /lib64/libc.so.6
No symbol table info available.
#2  0x00005555557832e6 in kvm_io_ioeventfd_add (listener=<optimized out>, section=0x7fffea8199a0, 
    match_data=<optimized out>, data=0, e=<optimized out>) at /usr/src/debug/qemu-1.5.3/kvm-all.c:846
        fd = <optimized out>
        r = <optimized out>
#3  0x0000555555788ae7 in address_space_add_del_ioeventfds (fds_old_nb=1, fds_old=0x7fffdc000920, fds_new_nb=1, 
    fds_new=0x7fffdc000960, as=0x55555644e200 <address_space_io>) at /usr/src/debug/qemu-1.5.3/memory.c:616
        _listener = 0x555555c32ca0 <kvm_io_listener>
        iold = 0
        inew = 0
        fd = 0x7fffdc000960
        section = {mr = 0x0, address_space = 0x55555644e200 <address_space_io>, offset_within_region = 0, size = 2, 
          offset_within_address_space = 49232, readonly = false}
#4  address_space_update_ioeventfds (as=0x55555644e200 <address_space_io>) at /usr/src/debug/qemu-1.5.3/memory.c:649
        fr = <optimized out>
        tmp = {start = {lo = 49232, hi = 0}, size = {lo = 2, hi = 0}}
        i = <optimized out>
        ioeventfd_nb = <optimized out>
        ioeventfds = <optimized out>
#5  address_space_update_topology (as=0x55555644e200 <address_space_io>) at /usr/src/debug/qemu-1.5.3/memory.c:730
        old_view = <optimized out>
        new_view = <optimized out>
#6  memory_region_transaction_commit () at /usr/src/debug/qemu-1.5.3/memory.c:750
        as = 0x55555644e200 <address_space_io>
#7  0x000055555567e45d in pci_update_mappings (d=0x5555567257f0) at hw/pci/pci.c:1112
        r = 0x5555567258f8
        i = 0
#8  0x000055555567e8d8 in pci_default_write_config (d=d@entry=0x5555567257f0, addr=addr@entry=4, val=0, l=l@entry=2)
    at hw/pci/pci.c:1163
        i = <optimized out>
        was_irq_disabled = 1024
        __PRETTY_FUNCTION__ = "pci_default_write_config"
#9  0x00005555556b6ada in virtio_write_config (pci_dev=0x5555567257f0, address=4, val=<optimized out>, len=2)
    at hw/virtio/virtio-pci.c:464
        proxy = 0x5555567257f0
#10 0x0000555555785fb2 in access_with_adjusted_size (addr=addr@entry=0, value=value@entry=0x7fffea819b58, size=2, 
    access_size_min=<optimized out>, access_size_max=<optimized out>, 
    access=access@entry=0x555555786570 <memory_region_write_accessor>, opaque=opaque@entry=0x55555668a098)
    at /usr/src/debug/qemu-1.5.3/memory.c:364
        access_mask = 65535
        access_size = 2
        i = <optimized out>
#11 0x0000555555787487 in memory_region_iorange_write (iorange=<optimized out>, offset=0, width=2, data=1287)
    at /usr/src/debug/qemu-1.5.3/memory.c:439
        mrio = <optimized out>
        mr = 0x55555668a098
        __PRETTY_FUNCTION__ = "memory_region_iorange_write"
#12 0x0000555555784d65 in kvm_handle_io (count=1, size=2, direction=1, data=<optimized out>, port=3324)
    at /usr/src/debug/qemu-1.5.3/kvm-all.c:1489
        i = 0
        ptr = 0x7ffff7ff0000 "\a\005"
#13 kvm_cpu_exec (env=env@entry=0x55555665ffb0) at /usr/src/debug/qemu-1.5.3/kvm-all.c:1638
        cpu = 0x55555665fea0
        __func__ = "kvm_cpu_exec"
        run = 0x7ffff7fef000
        ret = <optimized out>
        run_ret = <optimized out>
#14 0x0000555555730245 in qemu_kvm_cpu_thread_fn (arg=0x55555665ffb0) at /usr/src/debug/qemu-1.5.3/cpus.c:793
        cpu = 0x55555665fea0
        __func__ = "qemu_kvm_cpu_thread_fn"
        r = <optimized out>
#15 0x00007ffff625ade3 in start_thread () from /lib64/libpthread.so.0
No symbol table info available.
#16 0x00007ffff33a01ad in clone () from /lib64/libc.so.6
No symbol table info available.
(gdb) 

Expected results:
No coredumpd

Additional info: