diff --git a/debian/changelog b/debian/changelog
index 73a308110..d276c9f62 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -392,6 +392,7 @@ linux (4.19.20-1) UNRELEASED; urgency=medium
 
   [ Salvatore Bonaccorso ]
   * [x86] kvmclock: set offset for kvm unstable clock (Closes: #918036)
+  * kvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974)
 
   [ Hideki Yamane ]
   * [x86] Enable Touchpad support on Gemini Lake via CONFIG_PINCTRL_GEMINILAKE
diff --git a/debian/patches/bugfix/all/kvm-fix-kvm_ioctl_create_device-reference-counting-C.patch b/debian/patches/bugfix/all/kvm-fix-kvm_ioctl_create_device-reference-counting-C.patch
new file mode 100644
index 000000000..0ac911484
--- /dev/null
+++ b/debian/patches/bugfix/all/kvm-fix-kvm_ioctl_create_device-reference-counting-C.patch
@@ -0,0 +1,57 @@
+From: Jann Horn <jannh@google.com>
+Date: Sat, 26 Jan 2019 01:54:33 +0100
+Subject: kvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974)
+Origin: https://git.kernel.org/linus/cfa39381173d5f969daf43582c95ad679189cbc9
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-6974
+
+kvm_ioctl_create_device() does the following:
+
+1. creates a device that holds a reference to the VM object (with a borrowed
+   reference, the VM's refcount has not been bumped yet)
+2. initializes the device
+3. transfers the reference to the device to the caller's file descriptor table
+4. calls kvm_get_kvm() to turn the borrowed reference to the VM into a real
+   reference
+
+The ownership transfer in step 3 must not happen before the reference to the VM
+becomes a proper, non-borrowed reference, which only happens in step 4.
+After step 3, an attacker can close the file descriptor and drop the borrowed
+reference, which can cause the refcount of the kvm object to drop to zero.
+
+This means that we need to grab a reference for the device before
+anon_inode_getfd(), otherwise the VM can disappear from under us.
+
+Fixes: 852b6d57dc7f ("kvm: add device control API")
+Cc: stable@kernel.org
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ virt/kvm/kvm_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
+index 5ecea812cb6a..585845203db8 100644
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -3000,8 +3000,10 @@ static int kvm_ioctl_create_device(struct kvm *kvm,
+ 	if (ops->init)
+ 		ops->init(dev);
+ 
++	kvm_get_kvm(kvm);
+ 	ret = anon_inode_getfd(ops->name, &kvm_device_fops, dev, O_RDWR | O_CLOEXEC);
+ 	if (ret < 0) {
++		kvm_put_kvm(kvm);
+ 		mutex_lock(&kvm->lock);
+ 		list_del(&dev->vm_node);
+ 		mutex_unlock(&kvm->lock);
+@@ -3009,7 +3011,6 @@ static int kvm_ioctl_create_device(struct kvm *kvm,
+ 		return ret;
+ 	}
+ 
+-	kvm_get_kvm(kvm);
+ 	cd->fd = ret;
+ 	return 0;
+ }
+-- 
+2.11.0
+
diff --git a/debian/patches/series b/debian/patches/series
index 6dfce01cf..947f82baa 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -139,6 +139,7 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
 
 # Security fixes
 debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
+bugfix/all/kvm-fix-kvm_ioctl_create_device-reference-counting-C.patch
 
 # Fix exported symbol versions
 bugfix/all/module-disable-matching-missing-version-crc.patch