Created attachment 166768 [details]
Patch to illustrate the problem
In the QEMU workaround code in if_ixv.c, the ixv driver calls pci_find_cap(dev, PCIY_MSIX, &rid). It is not checking the return code from that function and the function appears to always be failing. This then causes the driver to use the rid variable uninitialized, which will mean setting a bit at an arbitrary offset in pci config space. For now, this seems to have no adverse impact, but it could easily cause very subtle problems. Also the QEMU workaround is probably non-functional because of this.
I've attached a patch for a partial solution that checks the error code and skips PCI write if it fails. This avoid the erroneous PCI accesses, but it would be better if we could figure out why finding the capability is failing (I have not debugged it that far).