diff --git a/debian/changelog b/debian/changelog
index 24d43df65..e0d5c2b04 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -458,6 +458,7 @@ linux (4.9.6-1) UNRELEASED; urgency=medium
   * [arm64,armhf] video/fbdev: Enable FB_EFI (Closes: #851778)
   * fs: Disable LOGFS, as it is unmaintained and will be removed in 4.10
   * [rt] genpatch.py: Verify tag and tarball signatures
+  * fbdev: color map copying bounds checking (CVE-2016-8405)
 
   [ Roger Shimizu ]
   * [armel] Add DT support of Buffalo Linkstation Live v3 (LS-CHL)
diff --git a/debian/patches/bugfix/all/fbdev-color-map-coying-bounds-checking.patch b/debian/patches/bugfix/all/fbdev-color-map-coying-bounds-checking.patch
new file mode 100644
index 000000000..10c6e2a6e
--- /dev/null
+++ b/debian/patches/bugfix/all/fbdev-color-map-coying-bounds-checking.patch
@@ -0,0 +1,80 @@
+From: Kees Cook <keescook@chromium.org>
+Date: Tue, 24 Jan 2017 15:18:24 -0800
+Subject: fbdev: color map copying bounds checking
+Origin: https://git.kernel.org/linus/2dc705a9930b4806250fbf5a76e55266e59389f2
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-8405
+
+Copying color maps to userspace doesn't check the value of to->start,
+which will cause kernel heap buffer OOB read due to signedness wraps.
+
+CVE-2016-8405
+
+Link: http://lkml.kernel.org/r/20170105224249.GA50925@beast
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reported-by: Peter Pi (@heisecode) of Trend Micro
+Cc: Min Chong <mchong@google.com>
+Cc: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Cc: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+ drivers/video/fbdev/core/fbcmap.c | 26 ++++++++++++++------------
+ 1 file changed, 14 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/video/fbdev/core/fbcmap.c b/drivers/video/fbdev/core/fbcmap.c
+index f89245b8ba8e..68a113594808 100644
+--- a/drivers/video/fbdev/core/fbcmap.c
++++ b/drivers/video/fbdev/core/fbcmap.c
+@@ -163,17 +163,18 @@ void fb_dealloc_cmap(struct fb_cmap *cmap)
+ 
+ int fb_copy_cmap(const struct fb_cmap *from, struct fb_cmap *to)
+ {
+-	int tooff = 0, fromoff = 0;
+-	int size;
++	unsigned int tooff = 0, fromoff = 0;
++	size_t size;
+ 
+ 	if (to->start > from->start)
+ 		fromoff = to->start - from->start;
+ 	else
+ 		tooff = from->start - to->start;
+-	size = to->len - tooff;
+-	if (size > (int) (from->len - fromoff))
+-		size = from->len - fromoff;
+-	if (size <= 0)
++	if (fromoff >= from->len || tooff >= to->len)
++		return -EINVAL;
++
++	size = min_t(size_t, to->len - tooff, from->len - fromoff);
++	if (size == 0)
+ 		return -EINVAL;
+ 	size *= sizeof(u16);
+ 
+@@ -187,17 +188,18 @@ int fb_copy_cmap(const struct fb_cmap *from, struct fb_cmap *to)
+ 
+ int fb_cmap_to_user(const struct fb_cmap *from, struct fb_cmap_user *to)
+ {
+-	int tooff = 0, fromoff = 0;
+-	int size;
++	unsigned int tooff = 0, fromoff = 0;
++	size_t size;
+ 
+ 	if (to->start > from->start)
+ 		fromoff = to->start - from->start;
+ 	else
+ 		tooff = from->start - to->start;
+-	size = to->len - tooff;
+-	if (size > (int) (from->len - fromoff))
+-		size = from->len - fromoff;
+-	if (size <= 0)
++	if (fromoff >= from->len || tooff >= to->len)
++		return -EINVAL;
++
++	size = min_t(size_t, to->len - tooff, from->len - fromoff);
++	if (size == 0)
+ 		return -EINVAL;
+ 	size *= sizeof(u16);
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 2f7f984bd..fd40d0c7a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -99,6 +99,7 @@ features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.pa
 
 # Security fixes
 debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
+bugfix/all/fbdev-color-map-coying-bounds-checking.patch
 
 # Fix exported symbol versions
 bugfix/ia64/revert-ia64-move-exports-to-definitions.patch