qemu-system-x86_64 crash during kernel PCI init with large number of busses
Description of problem:
When booting a Linux kernel under qemu-system-x86_64 (tcg) using a large number of PCI busses (25+), qemu crashes with an invalid memory access during kernel PCI init phase. Failure rate is not 100%; some kernel boots do succeed, but the failure rate increases as the number of pci busses increases. Note that no initrd is needed; crash happens before kernel even gets to the point of trying to mount root.
Steps to reproduce:
Launch qemu using command line above along with 4.19.x kernel image (have not tested 5.x). It may take a few tries but within about 20 boot attempts, qemu will crash at least once.
Additional information:
Final kernel logs before crash:
```
...
[    1.413615] ACPI: Added _OSI(Module Device)
[    1.413947] ACPI: Added _OSI(Processor Device)
[    1.414262] ACPI: Added _OSI(3.0 _SCP Extensions)
[    1.414421] ACPI: Added _OSI(Processor Aggregator Device)
[    1.414922] ACPI: Added _OSI(Linux-Dell-Video)
[    1.415445] ACPI: Added _OSI(Linux-Lenovo-NV-HDMI-Audio)
[    1.444489] ACPI: 1 ACPI AML tables successfully acquired and loaded
[    1.468218] ACPI: Interpreter enabled
[    1.469897] ACPI: (supports S0 S3 S4 S5)
[    1.470200] ACPI: Using IOAPIC for interrupt routing
[    1.471811] PCI: Using host bridge windows from ACPI; if necessary, use "pci=nocrs" and repog
[    1.474421] ACPI: Enabled 2 GPEs in block 00 to 3F
[    1.536854] ACPI: PCI Root Bridge [PCI0] (domain 0000 [bus 00-ff])
[    1.537996] acpi PNP0A08:00: _OSC: OS supports [ExtendedConfig ASPM ClockPM Segments MSI]
[    1.540988] acpi PNP0A08:00: _OSC: platform does not support [LTR]
[    1.542232] acpi PNP0A08:00: _OSC: OS now controls [PME AER PCIeCapability]
[    1.546310] PCI host bridge to bus 0000:00
[    1.546650] pci_bus 0000:00: root bus resource [io  0x0000-0x0cf7 window]
[    1.547471] pci_bus 0000:00: root bus resource [io  0x0d00-0xffff window]
[    1.548039] pci_bus 0000:00: root bus resource [mem 0x000a0000-0x000bffff window]
[    1.548421] pci_bus 0000:00: root bus resource [mem 0x80000000-0xafffffff window]
[    1.549086] pci_bus 0000:00: root bus resource [mem 0xc0000000-0xfebfffff window]
[    1.549945] pci_bus 0000:00: root bus resource [mem 0x280000000-0xa7fffffff window]
[    1.550994] pci_bus 0000:00: root bus resource [bus 00-ff]
<...crash...>
```

QEMU backtrace:
```
$ gdb build/qemu-system-x86_64 core.3475232
<...>
Reading symbols from build/qemu-system-x86_64...
[New LWP 3475243]
[New LWP 3475244]
[New LWP 3475241]
[New LWP 3475238]
[New LWP 3475245]
[New LWP 3475239]
[New LWP 3475246]
[New LWP 3475240]
[New LWP 3475232]
[New LWP 3475242]
[New LWP 3475236]
[New LWP 3475247]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `build/qemu-system-x86_64 -m 8192 -smp cpus=10,threads=2 -nographic -machine q35'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000556065897e0e in memory_region_dispatch_write (mr=mr@entry=0x0, addr=addr@entry=768, data=data@entry=253, 
    op=op@entry=MO_32, attrs=...) at ../softmmu/memory.c:1497
1497	    if (mr->alias) {
[Current thread is 1 (Thread 0x7fe2e951d640 (LWP 3475243))]
(gdb) bt full
#0  0x0000556065897e0e in memory_region_dispatch_write
    (mr=mr@entry=0x0, addr=addr@entry=768, data=data@entry=253, op=op@entry=MO_32, attrs=...) at ../softmmu/memory.c:1497
        size = <optimized out>
#1  0x00005560659112c2 in io_writex
    (env=env@entry=0x556066bbd5d0, full=0x7fe08401ec70, mmu_idx=mmu_idx@entry=2, val=val@entry=253, addr=addr@entry=18446744073699050240, retaddr=retaddr@entry=140611404753775, op=MO_32) at ../accel/tcg/cputlb.c:1430
        _iothread_lock_auto = 0x1
        cpu = 0x556066bbb1e0
        mr_offset = 768
        section = 0x7fe078d7d570
        mr = 0x0
        r = <optimized out>
#2  0x0000556065915f14 in store_helper
    (op=MO_32, retaddr=140611404753775, oi=<optimized out>, val=<optimized out>, addr=18446744073699050240, env=0x556066bbd5d0)
    at ../accel/tcg/cputlb.c:2454
        full = <optimized out>
        need_swap = false
        a_bits = <optimized out>
        mmu_idx = 2
        tlb_addr = <optimized out>
        haddr = <optimized out>
        size = 4
        index = <optimized out>
        entry = 0x7fe08401bc40
#3  full_le_stl_mmu (env=0x556066bbd5d0, addr=18446744073699050240, val=253, oi=<optimized out>, retaddr=140611404753775)
    at ../accel/tcg/cputlb.c:2542
#4  0x00007fe2a4d4eb6f in code_gen_buffer ()
#5  0x00005560659065bb in cpu_tb_exec
    (cpu=cpu@entry=0x556066bbb1e0, itb=itb@entry=0x7fe2a4d4e9c0 <code_gen_buffer+13953427>, tb_exit=tb_exit@entry=0x7fe2e951c758)
    at ../accel/tcg/cpu-exec.c:460
        env = 0x556066bbd5d0
        ret = <optimized out>
        last_tb = <optimized out>
        tb_ptr = 0x7fe2a4d4ea80 <code_gen_buffer+13953619>
        __PRETTY_FUNCTION__ = "cpu_tb_exec"
#6  0x0000556065906ab6 in cpu_loop_exec_tb
    (tb_exit=0x7fe2e951c758, last_tb=<synthetic pointer>, pc=<optimized out>, tb=0x7fe2a4d4e9c0 <code_gen_buffer+13953427>, cpu=0x556066bbb1e0) at ../accel/tcg/cpu-exec.c:893
        insns_left = <optimized out>
        __PRETTY_FUNCTION__ = "cpu_loop_exec_tb"
        tb = 0x7fe2a4d4e9c0 <code_gen_buffer+13953427>
        flags = <optimized out>
        cflags = 4280811520
        cs_base = <optimized out>
        pc = <optimized out>
        last_tb = <optimized out>
        tb_exit = 0
--Type <RET> for more, q to quit, c to continue without paging--
        ret = <optimized out>
#7  cpu_exec_loop (cpu=cpu@entry=0x556066bbb1e0, sc=sc@entry=0x7fe2e951c7f0) at ../accel/tcg/cpu-exec.c:1013
        tb = 0x7fe2a4d4e9c0 <code_gen_buffer+13953427>
        flags = <optimized out>
        cflags = 4280811520
        cs_base = <optimized out>
        pc = <optimized out>
        last_tb = <optimized out>
        tb_exit = 0
        ret = <optimized out>
#8  0x0000556065907311 in cpu_exec_setjmp (cpu=cpu@entry=0x556066bbb1e0, sc=sc@entry=0x7fe2e951c7f0) at ../accel/tcg/cpu-exec.c:1043
        __func__ = "cpu_exec_setjmp"
#9  0x00005560659079f0 in cpu_exec (cpu=cpu@entry=0x556066bbb1e0) at ../accel/tcg/cpu-exec.c:1069
        ret = <optimized out>
        sc = {diff_clk = 0, last_cpu_icount = 0, realtime_clock = 0}
#10 0x000055606592a854 in tcg_cpus_exec (cpu=cpu@entry=0x556066bbb1e0) at ../accel/tcg/tcg-accel-ops.c:81
        ret = <optimized out>
        __PRETTY_FUNCTION__ = "tcg_cpus_exec"
#11 0x000055606592a9a7 in mttcg_cpu_thread_fn (arg=arg@entry=0x556066bbb1e0) at ../accel/tcg/tcg-accel-ops-mttcg.c:95
        r = <optimized out>

                  force_rcu = {notifier = {notify = 0x55606592aac0 <mttcg_force_rcu>, node = {le_next = 0x0, le_prev = 0x7fe2e951d4a0}}, cpu = 0x556066bbb1e0}
        cpu = 0x556066bbb1e0
        __PRETTY_FUNCTION__ = "mttcg_cpu_thread_fn"
        __func__ = "mttcg_cpu_thread_fn"
#12 0x0000556065aa2e91 in qemu_thread_start (args=<optimized out>) at ../util/qemu-thread-posix.c:541

                    __cancel_buf = {__cancel_jmp_buf = {{__cancel_jmp_buf = {140612553791040, -3809744250012005023, 93872529245600, 25, 140612607756368, 140729970282144, -7051494707616903839, -3809738403745854111}, __mask_was_saved = 0}}, __pad = {0x7fe2e951c970, 0x0, 0x0, 0x0}}
        __cancel_routine = 0x556065aa2ee0 <qemu_thread_atexit_notify>
        __not_first_call = <optimized out>
        start_routine = 0x55606592a8a0 <mttcg_cpu_thread_fn>
        arg = 0x556066bbb1e0
        r = <optimized out>
#13 0x00007fe2ec894b43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
        ret = <optimized out>
        pd = <optimized out>

                      unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140729970281792, 7053160723592154465, 140612553791040, 25, 140612607756368, 140729970282144, -7051494707570766495, -7051505217351676575}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = <optimized out>
#14 0x00007fe2ec926a00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
```