x86: 0.992
architecture: 0.976
device: 0.966
peripherals: 0.946
ppc: 0.934
vnc: 0.918
graphic: 0.893
PID: 0.861
network: 0.823
i386: 0.820
kernel: 0.789
KVM: 0.788
files: 0.772
socket: 0.753
performance: 0.722
register: 0.713
boot: 0.711
permissions: 0.706
VMM: 0.688
user-level: 0.680
risc-v: 0.676
TCG: 0.658
mistranslation: 0.650
semantic: 0.645
hypervisor: 0.608
arm: 0.594
virtual: 0.551
debug: 0.477
assembly: 0.197

ohci doesn't check the 'num-ports' property

command:
qemu-system-x86_64 -m 1024 -enable-kvm /root/centos6.img -enable-kvm -device pci-ohci,num-ports=100,masterbus=1

The ohci doesn't check the 'num-ports' property and would case an out-of-bands write,crash the qemu process.

    ohci->num_ports = num_ports;
    if (masterbus) {
        USBPort *ports[OHCI_MAX_PORTS];
        for(i = 0; i < num_ports; i++) {
            ports[i] = &ohci->rhport[i].port;
        }

The version of qemu is 2.6.0 release from 
http://wiki.qemu-project.org/download/qemu-2.6.0.tar.bz2

I was able to reproduce the crash, and proposed now a fix on the qemu-devel mailing list (see https://patchwork.ozlabs.org/patch/625092/ for details)

The fix has been included in the repository:

http://git.qemu.org/?p=qemu.git;a=commitdiff;h=d400fc018b326104d26

Thanks for reporting the issue!