diff --git a/debian/changelog b/debian/changelog
index 88fb015f8..53fe8a6f0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -138,6 +138,7 @@ linux (4.9.18-1) UNRELEASED; urgency=medium
   * xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window
     (CVE-2017-7184)
   * xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder (CVE-2017-7184)
+  * scsi: sg: check length passed to SG_NEXT_CMD_LEN (CVE-2017-7187)
 
  -- Ben Hutchings <ben@decadent.org.uk>  Mon, 27 Mar 2017 21:54:36 +0100
 
diff --git a/debian/patches/bugfix/all/scsi-sg-check-length-passed-to-sg_next_cmd_len.patch b/debian/patches/bugfix/all/scsi-sg-check-length-passed-to-sg_next_cmd_len.patch
new file mode 100644
index 000000000..7def878e3
--- /dev/null
+++ b/debian/patches/bugfix/all/scsi-sg-check-length-passed-to-sg_next_cmd_len.patch
@@ -0,0 +1,29 @@
+From: peter chang <dpf@google.com>
+Date: Wed, 15 Feb 2017 14:11:54 -0800
+Subject: scsi: sg: check length passed to SG_NEXT_CMD_LEN
+Origin: https://git.kernel.org/cgit/linux/kernel/git/mkp/scsi.git/commit?id=bf33f87dd04c371ea33feb821b60d63d754e3124
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7187
+
+The user can control the size of the next command passed along, but the
+value passed to the ioctl isn't checked against the usable max command
+size.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Peter Chang <dpf@google.com>
+Acked-by: Douglas Gilbert <dgilbert@interlog.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+---
+ drivers/scsi/sg.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -998,6 +998,8 @@ sg_ioctl(struct file *filp, unsigned int
+ 		result = get_user(val, ip);
+ 		if (result)
+ 			return result;
++		if (val > SG_MAX_CDB_SIZE)
++			return -ENOMEM;
+ 		sfp->next_cmd_len = (val > 0) ? val : 0;
+ 		return 0;
+ 	case SG_GET_VERSION_NUM:
diff --git a/debian/patches/series b/debian/patches/series
index 145dfa659..764340fdb 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -121,6 +121,7 @@ debian/time-mark-timer_stats-as-broken.patch
 bugfix/all/sctp-deny-peeloff-operation-on-asocs-with-threads-sl.patch
 bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch
 bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch
+bugfix/all/scsi-sg-check-length-passed-to-sg_next_cmd_len.patch
 
 # Fix exported symbol versions
 bugfix/ia64/revert-ia64-move-exports-to-definitions.patch