diff --git a/debian/changelog b/debian/changelog
index fb3ea82bb..3cf66fa96 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -11,6 +11,7 @@ linux (3.2.39-3) UNRELEASED; urgency=low
   [ Ben Hutchings ]
   * [x86] ata_piix: reenable MS Virtual PC guests (fixes regression in
     3.2.19-1)
+  * vhost: fix length for cross region descriptor (CVE-2013-0311)
 
  -- Ben Hutchings <ben@decadent.org.uk>  Wed, 27 Feb 2013 03:48:30 +0000
 
diff --git a/debian/patches/bugfix/all/vhost-fix-length-for-cross-region-descriptor.patch b/debian/patches/bugfix/all/vhost-fix-length-for-cross-region-descriptor.patch
new file mode 100644
index 000000000..da4bad637
--- /dev/null
+++ b/debian/patches/bugfix/all/vhost-fix-length-for-cross-region-descriptor.patch
@@ -0,0 +1,31 @@
+From: "Michael S. Tsirkin" <mst@redhat.com>
+Date: Mon, 26 Nov 2012 05:57:27 +0000
+Subject: vhost: fix length for cross region descriptor
+
+commit bd97120fc3d1a11f3124c7c9ba1d91f51829eb85 upstream.
+
+If a single descriptor crosses a region, the
+second chunk length should be decremented
+by size translated so far, instead it includes
+the full descriptor length.
+
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ drivers/vhost/vhost.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
+index 99ac2cb..dedaf81 100644
+--- a/drivers/vhost/vhost.c
++++ b/drivers/vhost/vhost.c
+@@ -1076,7 +1076,7 @@ static int translate_desc(struct vhost_dev *dev, u64 addr, u32 len,
+ 		}
+ 		_iov = iov + ret;
+ 		size = reg->memory_size - addr + reg->guest_phys_addr;
+-		_iov->iov_len = min((u64)len, size);
++		_iov->iov_len = min((u64)len - s, size);
+ 		_iov->iov_base = (void __user *)(unsigned long)
+ 			(reg->userspace_addr + addr - reg->guest_phys_addr);
+ 		s += size;
diff --git a/debian/patches/series b/debian/patches/series
index 40e23cd54..b980c6b5b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -630,3 +630,4 @@ bugfix/x86/x86-efi-Make-noefi-really-disable-EFI-runtime-serivc.patch
 bugfix/all/mm-fix-pageblock-bitmap-allocation.patch
 bugfix/all/USB-usb-storage-unusual_devs-update-for-Super-TOP-SA.patch
 debian/x86-efi-avoid-abi-change-in-3.2.38.patch
+bugfix/all/vhost-fix-length-for-cross-region-descriptor.patch