diff --git a/debian/changelog b/debian/changelog
index aeaddef5e..7f8abfa87 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,6 +5,7 @@ linux (4.19.118-3) UNRELEASED; urgency=medium
   * [rt] Add new signing key for Tom Zanussi
   * apparmor: don't try to replace stale label in ptraceme check
     (Closes: #963493)
+  * nfsd: apply umask on fs without ACL support (Closes: #962254)
 
  -- Salvatore Bonaccorso <carnil@debian.org>  Wed, 13 May 2020 17:44:43 +0200
 
diff --git a/debian/patches/bugfix/all/nfsd-apply-umask-on-fs-without-ACL-support.patch b/debian/patches/bugfix/all/nfsd-apply-umask-on-fs-without-ACL-support.patch
new file mode 100644
index 000000000..eee6a276d
--- /dev/null
+++ b/debian/patches/bugfix/all/nfsd-apply-umask-on-fs-without-ACL-support.patch
@@ -0,0 +1,56 @@
+From: "J. Bruce Fields" <bfields@redhat.com>
+Date: Tue, 16 Jun 2020 16:43:18 -0400
+Subject: nfsd: apply umask on fs without ACL support
+Origin: http://git.linux-nfs.org/?p=bfields/linux.git;a=commit;h=22cf8419f1319ff87ec759d0ebdff4cbafaee832
+Bug-Debian: https://bugs.debian.org/962254
+
+The server is failing to apply the umask when creating new objects on
+filesystems without ACL support.
+
+To reproduce this, you need to use NFSv4.2 and a client and server
+recent enough to support umask, and you need to export a filesystem that
+lacks ACL support (for example, ext4 with the "noacl" mount option).
+
+Filesystems with ACL support are expected to take care of the umask
+themselves (usually by calling posix_acl_create).
+
+For filesystems without ACL support, this is up to the caller of
+vfs_create(), vfs_mknod(), or vfs_mkdir().
+
+Reported-by: Elliott Mitchell <ehem+debian@m5p.com>
+Reported-by: Salvatore Bonaccorso <carnil@debian.org>
+Tested-by: Salvatore Bonaccorso <carnil@debian.org>
+Fixes: 47057abde515 ("nfsd: add support for the umask attribute")
+Cc: stable@vger.kernel.org
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+---
+ fs/nfsd/vfs.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
+index c3fbab1753ec..d22a056da477 100644
+--- a/fs/nfsd/vfs.c
++++ b/fs/nfsd/vfs.c
+@@ -1226,6 +1226,9 @@ nfsd_create_locked(struct svc_rqst *rqstp, struct svc_fh *fhp,
+ 		iap->ia_mode = 0;
+ 	iap->ia_mode = (iap->ia_mode & S_IALLUGO) | type;
+ 
++	if (!IS_POSIXACL(dirp))
++		iap->ia_mode &= ~current_umask();
++
+ 	err = 0;
+ 	host_err = 0;
+ 	switch (type) {
+@@ -1458,6 +1461,9 @@ do_nfsd_create(struct svc_rqst *rqstp, struct svc_fh *fhp,
+ 		goto out;
+ 	}
+ 
++	if (!IS_POSIXACL(dirp))
++		iap->ia_mode &= ~current_umask();
++
+ 	host_err = vfs_create(dirp, dchild, iap->ia_mode, true);
+ 	if (host_err < 0) {
+ 		fh_drop_write(fhp);
+-- 
+2.27.0
+
diff --git a/debian/patches/series b/debian/patches/series
index fe2527ec2..65f345823 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -103,6 +103,7 @@ bugfix/all/rtc-s35390a-set-uie_unsupported.patch
 bugfix/all/include-uapi-linux-swab.h-fix-userspace-breakage-use.patch
 bugfix/all/ALSA-pcm-oss-Place-the-plugin-buffer-overflow-checks.patch
 bugfix/all/apparmor-don-t-try-to-replace-stale-label-in-ptracem.patch
+bugfix/all/nfsd-apply-umask-on-fs-without-ACL-support.patch
 
 # Miscellaneous features