Correction, the bug is still present in qemu-git. It seems to be slightly harder to trigger, but that might just be luck too. Here's the crash in qemu master 217bfb445b54db618a30f3a39170bebd9fd9dbf2 .


Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb63d36e0 (LWP 32412)]
0xb7679517 in slirp_remque (a=0xb9119cf0) at slirp/misc.c:39
39	  ((struct quehead *)(element->qh_rlink))->qh_link = element->qh_link;
(gdb) bt
#0  0xb7679517 in slirp_remque (a=0xb9119cf0) at slirp/misc.c:39
#1  0xb7677489 in if_start (slirp=0xb87a6eb8) at slirp/if.c:189
#2  0xb767738f in if_output (so=0xb8f6e348, ifm=0xb911a348) at slirp/if.c:138
#3  0xb7678b91 in ip_output (so=0xb8f6e348, m0=0xb911a348) at slirp/ip_output.c:84
#4  0xb7681578 in tcp_output (tp=0xb8eacb48) at slirp/tcp_output.c:456
#5  0xb7683b77 in tcp_timers (tp=0xb8eacb48, timer=0) at slirp/tcp_timer.c:242
#6  0xb76838b0 in tcp_slowtimo (slirp=0xb87a6eb8) at slirp/tcp_timer.c:88
#7  0xb767b636 in slirp_select_poll (readfds=0xbfb3a1ec, writefds=0xbfb3a26c, xfds=0xbfb3a2ec, select_error=0) at slirp/slirp.c:433
#8  0xb7630028 in main_loop_wait (nonblocking=0) at main-loop.c:465
#9  0xb7624dca in main_loop () at /home/craig/projects/QEMU/vl.c:1481
#10 0xb762a628 in main (argc=20, argv=0xbfb3a6f4, envp=0xbfb3a748) at /home/craig/projects/QEMU/vl.c:3485
(gdb) 


Thread 18 (Thread 0xb29cfb70 (LWP 32487)):
#0  0xb74d3424 in __kernel_vsyscall ()
No symbol table info available.
#1  0xb7321e04 in pthread_cond_timedwait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/i386/i686/../i486/pthread_cond_timedwait.S:236
No locals.
#2  0xb7641112 in cond_timedwait (cond=0xb7d201e0, mutex=0xb7d201c0, ts=0xb29cf35c) at posix-aio-compat.c:104
        ret = 0
#3  0xb76418f4 in aio_thread (unused=0x0) at posix-aio-compat.c:334
        aiocb = 0xb8dd9f68
        ret = 0
        tv = {tv_sec = 1331787612, tv_usec = 760876}
        ts = {tv_sec = 1331787622, tv_nsec = 0}
#4  0xb731dd31 in start_thread (arg=0xb29cfb70) at pthread_create.c:304
        __res = <optimized out>
        pd = 0xb29cfb70
        now = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {-1221398540, 0, 4001536, -1298336648, -1135928557, -434751208}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {
              prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = <optimized out>
        robust = <optimized out>
        pagesize_m1 = <optimized out>
        sp = <optimized out>
        freesize = <optimized out>
        __PRETTY_FUNCTION__ = "start_thread"
#5  0xb6d8e0ce in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130
No locals.
Backtrace stopped: Not enough registers or memory available to unwind further

Thread 2 (Thread 0xaadbbb70 (LWP 32428)):
#0  0xb74d3424 in __kernel_vsyscall ()
No symbol table info available.
#1  0xb7324619 in __lll_lock_wait () at ../nptl/sysdeps/unix/sysv/linux/i386/i686/../i486/lowlevellock.S:142
No locals.
#2  0xb73277a0 in _L_cond_lock_704 () from /lib/i386-linux-gnu/libpthread.so.0
        libgcc_s_getcfa = 0
        libgcc_s_resume = 0
        libgcc_s_forcedunwind = 0
        libgcc_s_personality = 0
        libgcc_s_handle = 0x0
#3  0xb7327521 in __pthread_mutex_cond_lock (mutex=0xb7ef4c00) at ../nptl/pthread_mutex_lock.c:61
        __PRETTY_FUNCTION__ = "__pthread_mutex_cond_lock"
        type = 3085913088
        id = 32428
#4  0xb7321b0e in pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/i386/i686/../i486/pthread_cond_wait.S:255
No locals.
#5  0xb7660526 in qemu_cond_wait (cond=0xb7d30aa0, mutex=0xb7ef4c00) at qemu-thread-posix.c:113
        err = -1191168176
        __func__ = "qemu_cond_wait"
#6  0xb76ee271 in qemu_tcg_wait_io_event () at /home/craig/projects/QEMU/cpus.c:699
        env = 0x10000
#7  0xb76ee537 in qemu_tcg_cpu_thread_fn (arg=0xb9003750) at /home/craig/projects/QEMU/cpus.c:778
        env = 0x0
#8  0xb731dd31 in start_thread (arg=0xaadbbb70) at pthread_create.c:304
        __res = <optimized out>
        pd = 0xaadbbb70
        now = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {-1221398540, 0, 4001536, -1428441992, 852171555, -434751208}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {
              prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = <optimized out>
        robust = <optimized out>
        pagesize_m1 = <optimized out>
        sp = <optimized out>
        freesize = <optimized out>
        __PRETTY_FUNCTION__ = "start_thread"
#9  0xb6d8e0ce in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130
No locals.
Backtrace stopped: Not enough registers or memory available to unwind further

Thread 1 (Thread 0xb63d36e0 (LWP 32412)):
#0  0xb7679517 in slirp_remque (a=0xb9119cf0) at slirp/misc.c:39
        element = 0xb9119cf0
#1  0xb7677489 in if_start (slirp=0xb87a6eb8) at slirp/if.c:189
        now = 118754910412798
        requeued = 0
        ifm = 0xb9119cf0
        ifqt = 0x0
#2  0xb767738f in if_output (so=0xb8f6e348, ifm=0xb911a348) at slirp/if.c:138
        slirp = 0xb87a6eb8
        ifq = 0xb9119cf0
        on_fastq = 1
#3  0xb7678b91 in ip_output (so=0xb8f6e348, m0=0xb911a348) at slirp/ip_output.c:84
        slirp = 0xb87a6eb8
        ip = 0xb911a3b4
        m = 0xb911a348
        hlen = 20
        len = -1190026424
        off = -1199935676
        error = 0
#4  0xb7681578 in tcp_output (tp=0xb8eacb48) at slirp/tcp_output.c:456
        so = 0xb8f6e348
        len = 0
        win = 8760
        off = 0
        flags = 2
        error = 752432
        m = 0xb911a348
        ti = 0xb911a3b4
        opt = "\002\004\005\264\001\000\000\000\204\240\263\277\266\204Զ\252\af\267\224\240\263\277\342\317\001\000·C6"
        optlen = 4
        hdrlen = 44
        idle = 0
        sendalot = 0
#5  0xb7683b77 in tcp_timers (tp=0xb8eacb48, timer=0) at slirp/tcp_timer.c:242
        rexmt = 192
#6  0xb76838b0 in tcp_slowtimo (slirp=0xb87a6eb8) at slirp/tcp_timer.c:88
        ip = 0xb8f6e348
        ipnxt = 0xb87a78b8
        tp = 0xb8eacb48
        i = 0
#7  0xb767b636 in slirp_select_poll (readfds=0xbfb3a1ec, writefds=0xbfb3a26c, xfds=0xbfb3a2ec, select_error=0) at slirp/slirp.c:433
        slirp = 0xb87a6eb8
        so = 0x0
        so_next = 0x0
        ret = -1078746644
#8  0xb7630028 in main_loop_wait (nonblocking=0) at main-loop.c:465
        rfds = {fds_bits = {2048, 0 <repeats 31 times>}}
        wfds = {fds_bits = {0 <repeats 32 times>}}
        xfds = {fds_bits = {0 <repeats 32 times>}}
        ret = 1
        nfds = 18
        tv = {tv_sec = 0, tv_usec = 999852}
        timeout = 1000
#9  0xb7624dca in main_loop () at /home/craig/projects/QEMU/vl.c:1481
        nonblocking = false
        last_io = 0
#10 0xb762a628 in main (argc=20, argv=0xbfb3a6f4, envp=0xbfb3a748) at /home/craig/projects/QEMU/vl.c:3485
        gdbstub_dev = 0x0
        i = 64
        snapshot = 1
        linux_boot = 0
        icount_option = 0x0
        initrd_filename = 0x0
        kernel_filename = 0x0
        kernel_cmdline = 0xb77ea853 ""
        boot_devices = "cad", '\000' <repeats 29 times>
        ds = 0xb89eed90
        dcl = 0x0
        cyls = 0
        heads = 0
        secs = 0
        translation = 0
        hda_opts = 0x0
        opts = 0xb7332000
        olist = 0xbfb3a5b8
        optind = 20
        optarg = 0x0
        loadvm = 0x0
        machine = 0xb7913f40
        cpu_model = 0x0
        pid_file = 0x0
        incoming = 0x0
        show_vnc_port = 0
        defconfig = 1
        log_mask = 0x0
        log_file = 0x0
        mem_trace = {malloc = 0xb7626a39 <malloc_and_trace>, realloc = 0xb7626a96 <realloc_and_trace>, free = 0xb7626b07 <free_and_trace>, calloc = 0, try_malloc = 0, try_realloc = 0}
        trace_events = 0x0
        trace_file = 0x0