peripherals: 0.865
ppc: 0.823
x86: 0.814
hypervisor: 0.804
TCG: 0.803
user-level: 0.792
VMM: 0.787
vnc: 0.785
risc-v: 0.780
mistranslation: 0.778
KVM: 0.776
graphic: 0.774
register: 0.772
semantic: 0.757
i386: 0.757
device: 0.755
architecture: 0.745
performance: 0.742
permissions: 0.738
virtual: 0.735
debug: 0.727
arm: 0.706
network: 0.702
assembly: 0.698
socket: 0.688
PID: 0.687
kernel: 0.669
boot: 0.646
files: 0.619

virtio-net: Use-After-Free during unrealization of virtio-net
Description of problem:
When hotplugging `virtio-net` device, mishandling of `failover` option may leads to use-after-free.
More specifically, if we try to hotplug virtio-net device with `failover=on` and other invalid option (e.g. `rx_queue_size=0`), the device listner callback is registered but not unregistered before being freed, leading to UAF.
Steps to reproduce:
```sh
cat <<EOF | qemu-system-i386 -M q35 -nodefaults -chardev stdio,id=char0 -mon char0 -device pcie-pci-bridge,id=br1,bus=pcie.0
device_add virtio-net,failover=on,rx_queue_size=0,bus=br1,id=dev0
device_add virtio-net,failover=on,bus=br1,id=dev0
quit
EOF
```

If above command is not working, let me know so that I provide more information.
Additional information:
The following log leveals bug location:

```sh
$ cat <<EOF | qemu-system-i386 -M q35 -nodefaults -chardev stdio,id=char0 -mon char0 -device pcie-pci-bridge,id=br1,bus=pcie.0
device_add virtio-net,failover=on,rx_queue_size=0,bus=br1,id=dev0
device_add virtio-net,failover=on,bus=br1,id=dev0
quit
EOF
==836681==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases!
QEMU 8.1.93 monitor - type 'help' for more information
VNC server running on 127.0.0.1:5900
(qemu) device_add virtio-net,failover=on,rx_queue_size=0,bus=br1,id=dev0
Error: Invalid rx_queue_size (= 0), must be a power of 2 between 256 and 1024.
(qemu) device_add virtio-net,failover=on,bus=br1,id=dev0
=================================================================
==836681==ERROR: AddressSanitizer: heap-use-after-free on address 0x62e00000ab58 at pc 0x5577bbb8fe22 bp 0x7ffeb03fca50 sp 0x7ffeb03fca48
READ of size 8 at 0x62e00000ab58 thread T0
    #0 0x5577bbb8fe21 in qdev_should_hide_device /home/XXX/qemu/build/../hw/core/qdev.c:233:23
    #1 0x5577bb14aac4 in qdev_device_add_from_qdict /home/XXX/qemu/build/../system/qdev-monitor.c:662:9
    #2 0x5577bb14c364 in qdev_device_add /home/XXX/qemu/build/../system/qdev-monitor.c:738:11
    #3 0x5577bb14d6eb in qmp_device_add /home/XXX/qemu/build/../system/qdev-monitor.c:860:11
    #4 0x5577bb14e11d in hmp_device_add /home/XXX/qemu/build/../system/qdev-monitor.c:968:5
    #5 0x5577bb29aef4 in handle_hmp_command_exec /home/XXX/qemu/build/../monitor/hmp.c:1106:9
    #6 0x5577bb298fa3 in handle_hmp_command /home/XXX/qemu/build/../monitor/hmp.c:1158:9
    #7 0x5577bb2949ee in monitor_command_cb /home/XXX/qemu/build/../monitor/hmp.c:47:5
    #8 0x5577bc2b0c3a in readline_handle_byte /home/XXX/qemu/build/../util/readline.c:419:13
    #9 0x5577bb29d261 in monitor_read /home/XXX/qemu/build/../monitor/hmp.c:1390:13
    #10 0x5577bbfda644 in fd_chr_read /home/XXX/qemu/build/../chardev/char-fd.c:72:9
    #11 0x7f53d36e5c43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43) (BuildId: 224ac2a88b72bc8e2fe8566ee28fae789fc69241)
    #12 0x5577bc2536db in glib_pollfds_poll /home/XXX/qemu/build/../util/main-loop.c:290:9
    #13 0x5577bc2536db in os_host_main_loop_wait /home/XXX/qemu/build/../util/main-loop.c:313:5
    #14 0x5577bc2536db in main_loop_wait /home/XXX/qemu/build/../util/main-loop.c:592:11
    #15 0x5577bb15dd06 in qemu_main_loop /home/XXX/qemu/build/../system/runstate.c:782:9
    #16 0x5577bbb81115 in qemu_default_main /home/XXX/qemu/build/../system/main.c:37:14
    #17 0x7f53d2c3fd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #18 0x7f53d2c3fe3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #19 0x5577ba4c3584 in _start (/usr/local/bin/qemu-system-i386+0x1ada584) (BuildId: c7ca543ea41d3478bc13cdf604d47805b990620e)

0x62e00000ab58 is located 42840 bytes inside of 43008-byte region [0x62e000000400,0x62e00000ac00)
freed by thread T1 here:
    #0 0x5577ba546122 in __interceptor_free (/usr/local/bin/qemu-system-i386+0x1b5d122) (BuildId: c7ca543ea41d3478bc13cdf604d47805b990620e)
    #1 0x5577bbba5135 in object_finalize /home/XXX/qemu/build/../qom/object.c:714:9
    #2 0x5577bbba5135 in object_unref /home/XXX/qemu/build/../qom/object.c:1217:9
    #3 0x5577bbb91ac3 in bus_free_bus_child /home/XXX/qemu/build/../hw/core/qdev.c:55:5

previously allocated by thread T0 here:
    #0 0x5577ba5463ce in malloc (/usr/local/bin/qemu-system-i386+0x1b5d3ce) (BuildId: c7ca543ea41d3478bc13cdf604d47805b990620e)
    #1 0x7f53d36ee738 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5e738) (BuildId: 224ac2a88b72bc8e2fe8566ee28fae789fc69241)
    #2 0x5577bb14c364 in qdev_device_add /home/XXX/qemu/build/../system/qdev-monitor.c:738:11
    #3 0x5577bb29aef4 in handle_hmp_command_exec /home/XXX/qemu/build/../monitor/hmp.c:1106:9
    #4 0x5577bb298fa3 in handle_hmp_command /home/XXX/qemu/build/../monitor/hmp.c:1158:9
    #5 0x5577bb2949ee in monitor_command_cb /home/XXX/qemu/build/../monitor/hmp.c:47:5

Thread T1 created by T0 here:
    #0 0x5577ba52f84c in pthread_create (/usr/local/bin/qemu-system-i386+0x1b4684c) (BuildId: c7ca543ea41d3478bc13cdf604d47805b990620e)
    #1 0x5577bc1fcc24 in qemu_thread_create /home/XXX/qemu/build/../util/qemu-thread-posix.c:581:11
    #2 0x5577bc229970 in rcu_init_complete /home/XXX/qemu/build/../util/rcu.c:415:5
    #3 0x5577bc229970 in rcu_init /home/XXX/qemu/build/../util/rcu.c:471:5
    #4 0x7f53d2c3feba in call_init csu/../csu/libc-start.c:145:3
    #5 0x7f53d2c3feba in __libc_start_main csu/../csu/libc-start.c:379:5

SUMMARY: AddressSanitizer: heap-use-after-free /home/XXX/qemu/build/../hw/core/qdev.c:233:23 in qdev_should_hide_device
Shadow bytes around the buggy address:
  0x0c5c7fff9510: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5c7fff9520: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5c7fff9530: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5c7fff9540: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5c7fff9550: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c5c7fff9560: fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd
  0x0c5c7fff9570: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5c7fff9580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5c7fff9590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5c7fff95a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5c7fff95b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==836681==ABORTING
```

#