Upstream patch: https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg05461.html
A flaw was found in qemu. A host privilege escalation issue was found in the virtio-fs shared file system daemon where a privileged guest user is able to create a device special file in the shared directory and use it to r/w access host devices.
This is fixed in to be released qemu-6.0
The patch seems to be slightly malformed, lines 38 and 39 should be:
@@ -684,8 +707,7 @@ static void lo_setattr(fuse_req_t req, fuse_ino_t ino, struct stat *attr,
int valid, struct fuse_file_info *fi)
with that it applies and builds fine