Description of problem:
As subject, after 300 times hot unplug then hot plug, guest got segmentation fault.
For RHEL guest, did not meet this issue.

Version-Release number of selected component (if applicable):
kernel-2.6.18-262.el5
kvm-83-235.el5

How reproducible:
2/3

Steps to Reproduce:
1.Boot a windows guest.

/usr/libexec/qemu-kvm -no-hpet -no-kvm-pit-reinjection -usbdevice tablet -rtc-td-hack -startdate now -name win7-32 -smp 4,cores=4 -k en-us -m 3G -boot c -net nic,vlan=1,macaddr=00:1a:4a:42:49:10,model=virtio -net tap,vlan=1,ifname=virtio_10_1,script=/etc/qemu-ifup,downscript=no -drive file=/mnt/win7-32-sp1-qcow2,media=disk,if=virtio,cache=off,boot=on,format=qcow2,werror=stop -cpu qemu64,+sse2 -M rhel5.6.0 -notify all -balloon none -spice host=0,ic=on,port=5930,disable-ticketing -qxl 1  -net tap,vlan=2,ifname=virtio_10_2,script=/etc/qemu-ifup,downscript=no -monitor unix:/tmp/aaa,server,nowait

(qemu) info network
info network
VLAN 1 devices:
  tap.0: ifname=virtio_10_1,script=/etc/qemu-ifup,downscript=no
  virtio.0: model=virtio,macaddr=00:1a:4a:42:49:10
VLAN 2 devices:
  tap.1: ifname=virtio_10_2,script=/etc/qemu-ifup,downscript=no


2. In host:
#for ((i=1;i<=300;i++)); do echo pci_add pci_addr=0x06 nic vlan=2,model=virtio | nc -U /tmp/aaa;sleep 4; echo pci_del pci_addr=0x06|nc -U /tmp/aaa ;echo $i; sleep 4; done

3.
  
Actual results:
Guest got segmentation fault after 300 times hotplug/unplug.

Expected results:
Guest works well.

Additional info:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000415eae in virtio_update_irq (vdev=0x1dfdd60)
    at /usr/src/debug/kvm-83-maint-snapshot-20090205/qemu/hw/virtio.c:485
485	    qemu_set_irq(vdev->pci_dev.irq[0], vdev->isr & 1);
(gdb) 
(gdb) bt
#0  0x0000000000415eae in virtio_update_irq (vdev=0x1dfdd60)
    at /usr/src/debug/kvm-83-maint-snapshot-20090205/qemu/hw/virtio.c:485
#1  0x0000000000415fdb in virtio_reset (opaque=<value optimized out>)
    at /usr/src/debug/kvm-83-maint-snapshot-20090205/qemu/hw/virtio.c:500
#2  0x0000000000407766 in qemu_system_reset ()
    at /usr/src/debug/kvm-83-maint-snapshot-20090205/qemu/vl.c:3942
#3  0x0000000000501196 in qemu_kvm_system_reset ()
    at /usr/src/debug/kvm-83-maint-snapshot-20090205/qemu/qemu-kvm.c:369
#4  kvm_main_loop ()
    at /usr/src/debug/kvm-83-maint-snapshot-20090205/qemu/qemu-kvm.c:604
#5  0x000000000040e757 in main_loop (argc=40, argv=0x7fffffffe598, 
    envp=<value optimized out>)
    at /usr/src/debug/kvm-83-maint-snapshot-20090205/qemu/vl.c:4157
#6  main (argc=40, argv=0x7fffffffe598, envp=<value optimized out>)
    at /usr/src/debug/kvm-83-maint-snapshot-20090205/qemu/vl.c:6559
(gdb)