On Thu, 7 Apr 2022 at 15:50, Michael S. Tsirkin <m...@redhat.com> wrote: > > On Thu, Apr 07, 2022 at 11:03:16AM +0100, Peter Maydell wrote: > > On Thu, 7 Apr 2022 at 10:52, Michael S. Tsirkin <m...@redhat.com> wrote: > > > > > > From: Wentao Liang <wentao_lian...@163.com> > > > > > > A potential Use-after-free was reported in virtio_iommu_handle_command > > > when using virtio-iommu: > > > > > > > I find a potential Use-after-free in QEMU 6.2.0, which is in > > > > virtio_iommu_handle_command() (./hw/virtio/virtio-iommu.c). > > > > So, this isn't a regression. Do you think it's critically necessary > > it goes in 7.0, or is it in the category "put it into 7.0 if we > > need an rc4 for some other reason anyway" ? > > > > (I have a feeling we'll need an rc4, but we'll see.) > > > > thanks > > -- PMM > > I am concerned it can be used to trigger a CVE but I could not > find a way. So I would say if there's an rc4 pls include it > but if not then we can pick it up in stable.
We needed an rc4 for a couple of other security fixes, so I've applied this to master; thanks. -- PMM
