diff --git a/debian/changelog b/debian/changelog
index dfd6ab4e4..724da7be6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,6 +5,8 @@ linux (4.19.118-2+deb10u1) UNRELEASED; urgency=medium
   * fs/namespace.c: fix mountpoint reference counter race (CVE-2020-12114)
   * USB: core: Fix free-while-in-use bug in the USB S-Glibrary
     (CVE-2020-12464)
+  * [x86] KVM: SVM: Fix potential memory leak in svm_cpu_init()
+    (CVE-2020-12768)
 
  -- Salvatore Bonaccorso <carnil@debian.org>  Thu, 28 May 2020 23:02:30 +0200
 
diff --git a/debian/patches/bugfix/x86/kvm-svm-fix-potential-memory-leak-in-svm_cpu_init.patch b/debian/patches/bugfix/x86/kvm-svm-fix-potential-memory-leak-in-svm_cpu_init.patch
new file mode 100644
index 000000000..5e0cd3ca9
--- /dev/null
+++ b/debian/patches/bugfix/x86/kvm-svm-fix-potential-memory-leak-in-svm_cpu_init.patch
@@ -0,0 +1,65 @@
+From: Miaohe Lin <linmiaohe@huawei.com>
+Date: Sat, 4 Jan 2020 16:56:49 +0800
+Subject: KVM: SVM: Fix potential memory leak in svm_cpu_init()
+Origin: https://git.kernel.org/linus/d80b64ff297e40c2b6f7d7abc1b3eba70d22a068
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-12768
+
+When kmalloc memory for sd->sev_vmcbs failed, we forget to free the page
+held by sd->save_area. Also get rid of the var r as '-ENOMEM' is actually
+the only possible outcome here.
+
+Reviewed-by: Liran Alon <liran.alon@oracle.com>
+Reviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ arch/x86/kvm/svm.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
+index 8787a123b8e7..ff02aeb23616 100644
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -1005,33 +1005,32 @@ static void svm_cpu_uninit(int cpu)
+ static int svm_cpu_init(int cpu)
+ {
+ 	struct svm_cpu_data *sd;
+-	int r;
+ 
+ 	sd = kzalloc(sizeof(struct svm_cpu_data), GFP_KERNEL);
+ 	if (!sd)
+ 		return -ENOMEM;
+ 	sd->cpu = cpu;
+-	r = -ENOMEM;
+ 	sd->save_area = alloc_page(GFP_KERNEL);
+ 	if (!sd->save_area)
+-		goto err_1;
++		goto free_cpu_data;
+ 
+ 	if (svm_sev_enabled()) {
+-		r = -ENOMEM;
+ 		sd->sev_vmcbs = kmalloc_array(max_sev_asid + 1,
+ 					      sizeof(void *),
+ 					      GFP_KERNEL);
+ 		if (!sd->sev_vmcbs)
+-			goto err_1;
++			goto free_save_area;
+ 	}
+ 
+ 	per_cpu(svm_data, cpu) = sd;
+ 
+ 	return 0;
+ 
+-err_1:
++free_save_area:
++	__free_page(sd->save_area);
++free_cpu_data:
+ 	kfree(sd);
+-	return r;
++	return -ENOMEM;
+ 
+ }
+ 
+-- 
+2.27.0.rc0
+
diff --git a/debian/patches/series b/debian/patches/series
index c3e7b0010..610328ed5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -303,5 +303,6 @@ bugfix/s390x/s390-mm-fix-page-table-upgrade-vs-2ndary-address-mod.patch
 bugfix/all/selinux-properly-handle-multiple-messages-in-selinux.patch
 bugfix/all/fs-namespace.c-fix-mountpoint-reference-counter-race.patch
 bugfix/all/usb-core-fix-free-while-in-use-bug-in-the-usb-s-glib.patch
+bugfix/x86/kvm-svm-fix-potential-memory-leak-in-svm_cpu_init.patch
 
 # ABI maintenance