diff --git a/debian/changelog b/debian/changelog
index 050fd6091..1359e226f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -147,6 +147,7 @@ linux (4.9.14-1) UNRELEASED; urgency=medium
   * Ignore ABI changes in rds and ufshcd, not useful to OOT modules
   * ucount: Remove the atomicity from ucount->count (CVE-2017-6874)
   * userns: Avoid ABI change for CVE-2017-6874 fix
+  * [amd64] Don't WARN about expected W+X pages on Xen (see #852324)
 
   [ Salvatore Bonaccorso ]
   * ACPI / EC: Use busy polling mode when GPE is not enabled.
diff --git a/debian/patches/debian/amd64-don-t-warn-about-expected-w+x-pages-on-xen.patch b/debian/patches/debian/amd64-don-t-warn-about-expected-w+x-pages-on-xen.patch
new file mode 100644
index 000000000..e6225da79
--- /dev/null
+++ b/debian/patches/debian/amd64-don-t-warn-about-expected-w+x-pages-on-xen.patch
@@ -0,0 +1,32 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Thu, 16 Mar 2017 03:05:43 +0000
+Subject: [amd64] Don't WARN about expected W+X pages on Xen
+Bug-Debian: https://bugs.debian.org/852324
+Forwarded: not-needed
+
+Currently Xen PV domains (or at least dom0) on amd64 tend to have a
+large number of low kernel pages with W+X permissions.  It's not
+obvious how to fix this, and we're not going to get any new
+information by WARNing about this, but we do still want to hear about
+other W+X cases.  So add a condition to the WARN_ON.
+
+---
+--- a/arch/x86/mm/dump_pagetables.c
++++ b/arch/x86/mm/dump_pagetables.c
+@@ -17,6 +17,7 @@
+ #include <linux/init.h>
+ #include <linux/sched.h>
+ #include <linux/seq_file.h>
++#include <xen/xen.h>
+ 
+ #include <asm/pgtable.h>
+ 
+@@ -220,7 +221,7 @@ static void note_page(struct seq_file *m
+ 		pgprotval_t pr = pgprot_val(st->current_prot);
+ 
+ 		if (st->check_wx && (pr & _PAGE_RW) && !(pr & _PAGE_NX)) {
+-			WARN_ONCE(1,
++			WARN_ONCE(!(IS_ENABLED(CONFIG_X86_64) && xen_pv_domain()),
+ 				  "x86/mm: Found insecure W+X mapping at address %p/%pS\n",
+ 				  (void *)st->start_address,
+ 				  (void *)st->start_address);
diff --git a/debian/patches/series b/debian/patches/series
index e2f635a5b..9bb5e6be4 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -46,6 +46,9 @@ bugfix/x86/viafb-autoload-on-olpc-xo1.5-only.patch
 # Taint if dangerous features are used
 debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch
 
+# Reduce noise for bug #852324
+debian/amd64-don-t-warn-about-expected-w+x-pages-on-xen.patch
+
 # Arch bug fixes
 bugfix/x86/asoc-intel-select-dw_dmac_core-since-it-s-mandatory.patch
 bugfix/x86/platform-x86-acer-wmi-setup-accelerometer-when-machi.patch