diff --git a/debian/changelog b/debian/changelog
index 6de4d61f4..59a4947b6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -57,6 +57,7 @@ linux (3.2.20-1) UNRELEASED; urgency=low
   * macvtap: zerocopy: set SKBTX_DEV_ZEROCOPY only when skb is built
     successfully
   * macvtap: zerocopy: validate vectors before building skb (CVE-2012-2119)
+  * KVM: Fix buffer overflow in kvm_set_irq() (CVE-2012-2137)
 
   [ Bastian Blank ]
   * [s390/s390x,s390x/s390x] Build debugging symbols.
diff --git a/debian/patches/bugfix/all/KVM-Fix-buffer-overflow-in-kvm_set_irq.patch b/debian/patches/bugfix/all/KVM-Fix-buffer-overflow-in-kvm_set_irq.patch
new file mode 100644
index 000000000..08d4368d0
--- /dev/null
+++ b/debian/patches/bugfix/all/KVM-Fix-buffer-overflow-in-kvm_set_irq.patch
@@ -0,0 +1,33 @@
+From: Avi Kivity <avi@redhat.com>
+Date: Sun, 22 Apr 2012 17:02:11 +0300
+Subject: [PATCH] KVM: Fix buffer overflow in kvm_set_irq()
+
+commit f2ebd422f71cda9c791f76f85d2ca102ae34a1ed upstream.
+
+kvm_set_irq() has an internal buffer of three irq routing entries, allowing
+connecting a GSI to three IRQ chips or on MSI.  However setup_routing_entry()
+does not properly enforce this, allowing three irqchip routes followed by
+an MSI route to overflow the buffer.
+
+Fix by ensuring that an MSI entry is added to an empty list.
+
+Signed-off-by: Avi Kivity <avi@redhat.com>
+---
+ virt/kvm/irq_comm.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/virt/kvm/irq_comm.c b/virt/kvm/irq_comm.c
+index a6a0365..5afb431 100644
+--- a/virt/kvm/irq_comm.c
++++ b/virt/kvm/irq_comm.c
+@@ -332,6 +332,7 @@ static int setup_routing_entry(struct kvm_irq_routing_table *rt,
+ 	 */
+ 	hlist_for_each_entry(ei, n, &rt->map[ue->gsi], link)
+ 		if (ei->type == KVM_IRQ_ROUTING_MSI ||
++		    ue->type == KVM_IRQ_ROUTING_MSI ||
+ 		    ue->u.irqchip.irqchip == ei->irqchip.irqchip)
+ 			return r;
+ 
+-- 
+1.7.10
+
diff --git a/debian/patches/series b/debian/patches/series
index 420d198cf..85f31202d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -324,3 +324,5 @@ bugfix/all/macvtap-zerocopy-fix-truesize-underestimation.patch
 bugfix/all/macvtap-zerocopy-put-page-when-fail-to-get-all-reque.patch
 bugfix/all/macvtap-zerocopy-set-SKBTX_DEV_ZEROCOPY-only-when-sk.patch
 bugfix/all/macvtap-zerocopy-validate-vectors-before-building-sk.patch
+
+bugfix/all/KVM-Fix-buffer-overflow-in-kvm_set_irq.patch