Free invalid pointer crash in vnc

Attempt to send qemu monitor command crashed the VM. I have sent the following qemu monitor command to a running instance: 

virsh qemu-monitor-command --hmp instance-xxxxxxx 'change vnc none'

At the time I was connected via VNC. Closing my xvncviewer resulted
in a crash of the VM. 

Backtrace:

*** Error in `/usr/bin/qemu-system-x86_64': free(): invalid pointer: 0x0000564f887a87e0 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fa18b38b7e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7fa18b39437a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7fa18b39853c]
/usr/bin/qemu-system-x86_64(+0x4b25dd)[0x564f871a75dd]
/usr/bin/qemu-system-x86_64(visit_type_VncServerInfo+0xa2)[0x564f871b9612]
/usr/bin/qemu-system-x86_64(qapi_free_VncServerInfo+0x30)[0x564f871a6be0]
/usr/bin/qemu-system-x86_64(+0x441bca)[0x564f87136bca]
/usr/bin/qemu-system-x86_64(vnc_disconnect_finish+0x37)[0x564f87137bf7]
/usr/bin/qemu-system-x86_64(aio_dispatch+0x68)[0x564f8715dcb8]
/usr/bin/qemu-system-x86_64(+0x45bf9e)[0x564f87150f9e]
/lib/x86_64-linux-gnu/libglib-2.0.so.0(g_main_context_dispatch+0x2a7)[0x7fa18c06c197]
/usr/bin/qemu-system-x86_64(main_loop_wait+0x18b)[0x564f8715c5bb]
/usr/bin/qemu-system-x86_64(main+0x17b4)[0x564f86ed64e4]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fa18b334830]
/usr/bin/qemu-system-x86_64(_start+0x29)[0x564f86edbb79]


Version info:

ii  qemu-system                          1:2.5+dfsg-5ubuntu10.16                    amd64        QEMU full system emulation binaries
ii  qemu-system-x86                      1:2.5+dfsg-5ubuntu10.16                    amd64        QEMU full system emulation binaries (x86)
ii  qemu-utils                           1:2.5+dfsg-5ubuntu10.16                    amd64        QEMU utilities
ii  libvirt-bin                          1.3.1-1ubuntu10.14                         amd64        programs for the libvirt library
ii  libvirt0:amd64                       1.3.1-1ubuntu10.14                         amd64        library for interfacing with different virtualization systems
ii  nova-compute-libvirt                 2:13.1.4-0ubuntu3                          all          OpenStack Compute - compute node libvirt support
ii  python-libvirt                       1.3.1-1ubuntu1                             amd64        libvirt Python bindings

uname -a
Linux <redacted> 4.10.0-32-generic #36~16.04.1-Ubuntu SMP Wed Aug 9 09:19:02 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux


Qemu startup:

starting up libvirt version: 1.3.1, package: 1ubuntu10.14 (Jorge Niedbalski <email address hidden> Thu, 10 Aug 2017 22:50:46 -0400), qemu version: 2.5.0 (Debian 1:2.5+dfsg-5ubuntu10.14), hostname: <redacted>
LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin QEMU_AUDIO_DRV=none /usr/bin/qemu-system-x86_64 -name instance-000015ea -S -machine pc-i440fx-xenial,accel=kvm,usb=off -cpu Haswell-noTSX,+abm,+pdpe1gb,+rdrand,+f16c,+osxsave,+dca,+pdcm,+xtpr,+tm2,+est,+smx,+vmx,+ds_cpl,+dtes64,+pbe,+tm,+ht,+ss,+acpi,+ds,+vme -m 32768 -realtime mlock=off -smp 10,sockets=5,cores=1,threads=2 -object memory-backend-file,id=ram-node0,prealloc=yes,mem-path=/dev/hugepages/libvirt/qemu,share=yes,size=34359738368,host-nodes=0,policy=bind -numa node,nodeid=0,cpus=0-9,memdev=ram-node0 -uuid 9c2c7bdb-baae-45e7-888f-d090b3d331be -smbios 'type=1,manufacturer=OpenStack Foundation,product=OpenStack Nova,version=13.1.4,serial=24efafa3-b4a7-4489-a06a-17f23a63ff2b,uuid=9c2c7bdb-baae-45e7-888f-d090b3d331be,family=Virtual Machine' -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/domain-instance-000015ea/monitor.sock,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc,driftfix=slew -global kvm-pit.lost_tick_policy=discard -no-hpet -no-shutdown -boot strict=on -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/srv/nova/instances/9c2c7bdb-baae-45e7-888f-d090b3d331be/disk,format=qcow2,if=none,id=drive-virtio-disk0,cache=none -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0xd,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -drive file=/srv/nova/instances/9c2c7bdb-baae-45e7-888f-d090b3d331be/disk.eph0,format=qcow2,if=none,id=drive-virtio-disk1,cache=none -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0xe,drive=drive-virtio-disk1,id=virtio-disk1 -drive file=/srv/nova/instances/9c2c7bdb-baae-45e7-888f-d090b3d331be/disk.swap,format=qcow2,if=none,id=drive-virtio-disk2,cache=none -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0xf,drive=drive-virtio-disk2,id=virtio-disk2 -drive file=/srv/nova/instances/9c2c7bdb-baae-45e7-888f-d090b3d331be/disk.config,format=raw,if=none,id=drive-ide0-1-1,readonly=on,cache=none -device ide-cd,bus=ide.1,unit=1,drive=drive-ide0-1-1,id=ide0-1-1 -netdev tap,fd=27,id=hostnet0,vhost=on,vhostfd=29 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=fa:16:3e:94:ae:0c,bus=pci.0,addr=0x3 -netdev tap,fd=30,id=hostnet1,vhost=on,vhostfd=31 -device virtio-net-pci,netdev=hostnet1,id=net1,mac=fa:16:3e:0e:c5:cc,bus=pci.0,addr=0x4 -netdev tap,fd=32,id=hostnet2,vhost=on,vhostfd=33 -device virtio-net-pci,netdev=hostnet2,id=net2,mac=fa:16:3e:7a:1f:cf,bus=pci.0,addr=0x5 -netdev tap,fd=34,id=hostnet3,vhost=on,vhostfd=35 -device virtio-net-pci,netdev=hostnet3,id=net3,mac=fa:16:3e:70:8a:21,bus=pci.0,addr=0x6 -netdev tap,fd=36,id=hostnet4,vhost=on,vhostfd=37 -device virtio-net-pci,netdev=hostnet4,id=net4,mac=fa:16:3e:41:2a:c9,bus=pci.0,addr=0x7 -netdev tap,fd=38,id=hostnet5,vhost=on,vhostfd=39 -device virtio-net-pci,netdev=hostnet5,id=net5,mac=fa:16:3e:da:e5:4c,bus=pci.0,addr=0x8 -netdev tap,fd=40,id=hostnet6,vhost=on,vhostfd=41 -device virtio-net-pci,netdev=hostnet6,id=net6,mac=fa:16:3e:c5:0f:8d,bus=pci.0,addr=0x9 -netdev tap,fd=42,id=hostnet7,vhost=on,vhostfd=43 -device virtio-net-pci,netdev=hostnet7,id=net7,mac=fa:16:3e:db:c5:4a,bus=pci.0,addr=0xa -netdev tap,fd=44,id=hostnet8,vhost=on,vhostfd=45 -device virtio-net-pci,netdev=hostnet8,id=net8,mac=fa:16:3e:9f:b6:15,bus=pci.0,addr=0xb -netdev tap,fd=46,id=hostnet9,vhost=on,vhostfd=47 -device virtio-net-pci,netdev=hostnet9,id=net9,mac=fa:16:3e:df:f2:0b,bus=pci.0,addr=0xc -chardev file,id=charserial0,path=/srv/nova/instances/9c2c7bdb-baae-45e7-888f-d090b3d331be/console.log -device isa-serial,chardev=charserial0,id=serial0 -chardev pty,id=charserial1 -device isa-serial,chardev=charserial1,id=serial1 -device usb-tablet,id=input0 -vnc 0.0.0.0:0 -k en-us -device cirrus-vga,id=video0,bus=pci.0,addr=0x2 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x10 -msg timestamp=on
char device redirected to /dev/pts/1 (label charserial1)